Vulnerabilities

The WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.7 via several widgets. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions like 'marketking_delete_team_member', 'marketkingrejectuser', 'marketking_save_profile_settings', and many more in all versions up to, and including, 2.0.00. This makes it possible for unauthenticated attackers to delete users, update settings, approve users, and more.

In OPPOStore iOS App, there's a possible escalation of privilege due to improper input validation.

The Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking plugin for WordPress is vulnerable to SQL Injection via the 'enquiry_id' parameter of the 'tf_enquiry_reply_email_callback' function in all versions up to, and including, 2.15.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

In the linux kernel, if IMA appraisal is used with the "ima_appraise=log" boot param, lockdown can be defeated with kexec on any machine when Secure Boot is disabled or unavailable. IMA prevents setting "ima_appraise=log" from the boot param when Secure Boot is enabled, but this does not cover cases where lockdown is used without Secure Boot. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity, Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 and 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

A SQL injection in the Amazon Redshift Python Connector v2.1.4 allows a user to gain escalated privileges via the get_schemas, get_tables, or get_columns Metadata APIs. Users are recommended to upgrade to the driver version 2.1.5 or revert to driver version 2.1.3.

A SQL injection in the Amazon Redshift ODBC Driver v2.1.5.0 (Windows or Linux) allows a user to gain escalated privileges via the SQLTables or SQLColumns Metadata APIs. Users are recommended to upgrade to the driver version 2.1.6.0 or revert to driver version 2.1.4.0.

A SQL injection in the Amazon Redshift JDBC Driver in v2.1.0.31 allows a user to gain escalated privileges via the getSchemas, getTables, or getColumns Metadata APIs. Users should upgrade to the driver version 2.1.0.32 or revert to driver version 2.1.0.30.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu<br /> <br /> KCSAN reports a data race when access the krcp-&gt;monitor_work.timer.expires<br /> variable in the schedule_delayed_monitor_work() function:<br /> <br /> <br /> BUG: KCSAN: data-race in __mod_timer / kvfree_call_rcu<br /> <br /> read to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1:<br /> schedule_delayed_monitor_work kernel/rcu/tree.c:3520 [inline]<br /> kvfree_call_rcu+0x3b8/0x510 kernel/rcu/tree.c:3839<br /> trie_update_elem+0x47c/0x620 kernel/bpf/lpm_trie.c:441<br /> bpf_map_update_value+0x324/0x350 kernel/bpf/syscall.c:203<br /> generic_map_update_batch+0x401/0x520 kernel/bpf/syscall.c:1849<br /> bpf_map_do_batch+0x28c/0x3f0 kernel/bpf/syscall.c:5143<br /> __sys_bpf+0x2e5/0x7a0<br /> __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]<br /> __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5739<br /> x64_sys_call+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:322<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> write to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0:<br /> __mod_timer+0x578/0x7f0 kernel/time/timer.c:1173<br /> add_timer_global+0x51/0x70 kernel/time/timer.c:1330<br /> __queue_delayed_work+0x127/0x1a0 kernel/workqueue.c:2523<br /> queue_delayed_work_on+0xdf/0x190 kernel/workqueue.c:2552<br /> queue_delayed_work include/linux/workqueue.h:677 [inline]<br /> schedule_delayed_monitor_work kernel/rcu/tree.c:3525 [inline]<br /> kfree_rcu_monitor+0x5e8/0x660 kernel/rcu/tree.c:3643<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310<br /> worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391<br /> kthread+0x1d1/0x210 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> Reported by Kernel Concurrency Sanitizer on:<br /> CPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Workqueue: events_unbound kfree_rcu_monitor<br /> <br /> <br /> kfree_rcu_monitor() rearms the work if a "krcp" has to be still<br /> offloaded and this is done without holding krcp-&gt;lock, whereas<br /> the kvfree_call_rcu() holds it.<br /> <br /> Fix it by acquiring the "krcp-&gt;lock" for kfree_rcu_monitor() so<br /> both functions do not race anymore.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat/qat_4xxx - fix off by one in uof_get_name()<br /> <br /> The fw_objs[] array has "num_objs" elements so the &gt; needs to be &gt;= to<br /> prevent an out of bounds read.