Vulnerabilities

A vulnerability classified as problematic has been found in caipeichao ThinkOX 1.0. This affects an unknown part of the file /ThinkOX-master/index.php?s=/Weibo/Index/search.html of the component Search. The manipulation of the argument keywords leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ti: am65-cpsw: Fix NAPI registration sequence<br /> <br /> Registering the interrupts for TX or RX DMA Channels prior to registering<br /> their respective NAPI callbacks can result in a NULL pointer dereference.<br /> This is seen in practice as a random occurrence since it depends on the<br /> randomness associated with the generation of traffic by Linux and the<br /> reception of traffic from the wire.

A vulnerability was found in itning Student Homework Management System up to 1.2.7. It has been classified as problematic. Affected is an unknown function of the file /shw_war/fileupload of the component Edit Job Page. The manipulation of the argument Course leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

A vulnerability was found in itning Student Homework Management System up to 1.2.7. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints might be affected.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().<br /> <br /> fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything<br /> when it fails.<br /> <br /> Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh")<br /> moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()<br /> but forgot to add cleanup for fib6_nh-&gt;nh_common.nhc_pcpu_rth_output in<br /> case it fails to allocate fib6_nh-&gt;rt6i_pcpu, resulting in memleak.<br /> <br /> Let&amp;#39;s call fib_nh_common_release() and clear nhc_pcpu_rth_output in the<br /> error path.<br /> <br /> Note that we can remove the fib6_nh_release() call in nh_create_ipv6()<br /> later in net-next.git.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: Fix error code in chan_alloc_skb_cb()<br /> <br /> The chan_alloc_skb_cb() function is supposed to return error pointers on<br /> error. Returning NULL will lead to a NULL dereference.

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 20240319 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: qcom: uefisecapp: fix efivars registration race<br /> <br /> Since the conversion to using the TZ allocator, the efivars service is<br /> registered before the memory pool has been allocated, something which<br /> can lead to a NULL-pointer dereference in case of a racing EFI variable<br /> access.<br /> <br /> Make sure that all resources have been set up before registering the<br /> efivars.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/huge_memory: drop beyond-EOF folios with the right number of refs<br /> <br /> When an after-split folio is large and needs to be dropped due to EOF,<br /> folio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all<br /> page cache refs. Otherwise, the folio will not be freed, causing memory<br /> leak.<br /> <br /> This leak would happen on a filesystem with blocksize &gt; page_size and a<br /> truncate is performed, where the blocksize makes folios split to &gt;0 order<br /> ones, causing truncated folios not being freed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> accel/qaic: Fix integer overflow in qaic_validate_req()<br /> <br /> These are u64 variables that come from the user via<br /> qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that<br /> the math doesn&amp;#39;t have an integer wrapping bug.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfs: Call `invalidate_cache` only if implemented<br /> <br /> Many filesystems such as NFS and Ceph do not implement the<br /> `invalidate_cache` method. On those filesystems, if writing to the<br /> cache (`NETFS_WRITE_TO_CACHE`) fails for some reason, the kernel<br /> crashes like this:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor instruction fetch in kernel mode<br /> #PF: error_code(0x0010) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0010 [#1] SMP PTI<br /> CPU: 9 UID: 0 PID: 3380 Comm: kworker/u193:11 Not tainted 6.13.3-cm4all1-hp #437<br /> Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018<br /> Workqueue: events_unbound netfs_write_collection_worker<br /> RIP: 0010:0x0<br /> Code: Unable to access opcode bytes at 0xffffffffffffffd6.<br /> RSP: 0018:ffff9b86e2ca7dc0 EFLAGS: 00010202<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 7fffffffffffffff<br /> RDX: 0000000000000001 RSI: ffff89259d576a18 RDI: ffff89259d576900<br /> RBP: ffff89259d5769b0 R08: ffff9b86e2ca7d28 R09: 0000000000000002<br /> R10: ffff89258ceaca80 R11: 0000000000000001 R12: 0000000000000020<br /> R13: ffff893d158b9338 R14: ffff89259d576900 R15: ffff89259d5769b0<br /> FS: 0000000000000000(0000) GS:ffff893c9fa40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffffffffffffd6 CR3: 000000054442e003 CR4: 00000000001706f0<br /> Call Trace:<br /> <br /> ? __die+0x1f/0x60<br /> ? page_fault_oops+0x15c/0x460<br /> ? try_to_wake_up+0x2d2/0x530<br /> ? exc_page_fault+0x5e/0x100<br /> ? asm_exc_page_fault+0x22/0x30<br /> netfs_write_collection_worker+0xe9f/0x12b0<br /> ? xs_poll_check_readable+0x3f/0x80<br /> ? xs_stream_data_receive_workfn+0x8d/0x110<br /> process_one_work+0x134/0x2d0<br /> worker_thread+0x299/0x3a0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xba/0xe0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x30/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Modules linked in:<br /> CR2: 0000000000000000<br /> <br /> This patch adds the missing `NULL` check.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: ucan: fix out of bound read in strscpy() source<br /> <br /> Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()")<br /> unintentionally introduced a one byte out of bound read on strscpy()&amp;#39;s<br /> source argument (which is kind of ironic knowing that strscpy() is meant<br /> to be a more secure alternative :)).<br /> <br /> Let&amp;#39;s consider below buffers:<br /> <br /> dest[len + 1]; /* will be NUL terminated */<br /> src[len]; /* may not be NUL terminated */<br /> <br /> When doing:<br /> <br /> strncpy(dest, src, len);<br /> dest[len] = &amp;#39;\0&amp;#39;;<br /> <br /> strncpy() will read up to len bytes from src.<br /> <br /> On the other hand:<br /> <br /> strscpy(dest, src, len + 1);<br /> <br /> will read up to len + 1 bytes from src, that is to say, an out of bound<br /> read of one byte will occur on src if it is not NUL terminated. Note<br /> that the src[len] byte is never copied, but strscpy() still needs to<br /> read it to check whether a truncation occurred or not.<br /> <br /> This exact pattern happened in ucan.<br /> <br /> The root cause is that the source is not NUL terminated. Instead of<br /> doing a copy in a local buffer, directly NUL terminate it as soon as<br /> usb_control_msg() returns. With this, the local firmware_str[] variable<br /> can be removed.<br /> <br /> On top of this do a couple refactors:<br /> <br /> - ucan_ctl_payload-&gt;raw is only used for the firmware string, so<br /> rename it to ucan_ctl_payload-&gt;fw_str and change its type from u8 to<br /> char.<br /> <br /> - ucan_device_request_in() is only used to retrieve the firmware<br /> string, so rename it to ucan_get_fw_str() and refactor it to make it<br /> directly handle all the string termination logic.