Vulnerabilities

Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing chatbot discussions.

The Carousel Slider WordPress plugin before 2.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins

The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripting attacks.

The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server

The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: qcom: scm: Mark get_wq_ctx() as atomic call<br /> <br /> Currently get_wq_ctx() is wrongly configured as a standard call. When two<br /> SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to<br /> resume the corresponding sleeping thread. But if get_wq_ctx() is<br /> interrupted, goes to sleep and another SMC call is waiting to be allocated<br /> a waitq context, it leads to a deadlock.<br /> <br /> To avoid this get_wq_ctx() must be an atomic call and can&amp;#39;t be a standard<br /> SMC call. Hence mark get_wq_ctx() as a fast call.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: pmic_glink: Fix race during initialization<br /> <br /> As pointed out by Stephen Boyd it is possible that during initialization<br /> of the pmic_glink child drivers, the protection-domain notifiers fires,<br /> and the associated work is scheduled, before the client registration<br /> returns and as a result the local "client" pointer has been initialized.<br /> <br /> The outcome of this is a NULL pointer dereference as the "client"<br /> pointer is blindly dereferenced.<br /> <br /> Timeline provided by Stephen:<br /> CPU0 CPU1<br /> ---- ----<br /> ucsi-&gt;client = NULL;<br /> devm_pmic_glink_register_client()<br /> client-&gt;pdr_notify(client-&gt;priv, pg-&gt;client_state)<br /> pmic_glink_ucsi_pdr_notify()<br /> schedule_work(&amp;ucsi-&gt;register_work)<br /> <br /> pmic_glink_ucsi_register()<br /> ucsi_register()<br /> pmic_glink_ucsi_read_version()<br /> pmic_glink_ucsi_read()<br /> pmic_glink_ucsi_read()<br /> pmic_glink_send(ucsi-&gt;client)<br /> <br /> ucsi-&gt;client = client // Too late!<br /> <br /> This code is identical across the altmode, battery manager and usci<br /> child drivers.<br /> <br /> Resolve this by splitting the allocation of the "client" object and the<br /> registration thereof into two operations.<br /> <br /> This only happens if the protection domain registry is populated at the<br /> time of registration, which by the introduction of commit &amp;#39;1ebcde047c54<br /> ("soc: qcom: add pd-mapper implementation")&amp;#39; became much more likely.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: fix potential UAF in nfsd4_cb_getattr_release<br /> <br /> Once we drop the delegation reference, the fields embedded in it are no<br /> longer safe to access. Do that last.