Vulnerabilities

In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08944204; Issue ID: MSV-1560.

WordPress plugin "Carousel Slider" provided by Sayful Islam contains a cross-site request forgery vulnerability on Carousel image selection feature. While logged in to the WordPress site with Carousel Slider plugin enabled, accessing a crafted page may cause a user to alter the contents of the WordPress site.

WordPress plugin "Carousel Slider" provided by Sayful Islam contains a cross-site request forgery vulnerability on Hero image selection feature. While logged in to the WordPress site with Carousel Slider plugin enabled, accessing a crafted page may cause a user to alter the contents of the WordPress site.

Linen before cd37c3e does not verify that the domain is linen.dev or www.linen.dev when resetting a password. This occurs in create in apps/web/pages/api/forgot-password/index.ts.

In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.

A vulnerability classified as problematic was found in Grocy up to 4.2.0. This vulnerability affects unknown code of the file /api/files/recipepictures/ of the component SVG File Upload Handler. The manipulation of the argument force_serve_as with the input picture' leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. Unfortunately, the project maintainer does not want to be quoted in any way regarding the dispute rationale. The security policy of the project implies that this finding is "practically irrelevant" due to authentication requirements.

HTMLDOC before 1.9.19 has an out-of-bounds write in parse_paragraph in ps-pdf.cxx because of an attempt to strip leading whitespace from a whitespace-only node.

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18. This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server.

A vulnerability was found in code-projects Hospital Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in HM Courts & Tribunals Service Probate Back Office up to c1afe0cdb2b2766d9e24872c4e827f8b82a6cd31. It has been classified as problematic. Affected is an unknown function of the file src/main/java/uk/gov/hmcts/probate/service/NotificationService.java of the component Markdown Handler. The manipulation leads to injection. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as d90230d7cf575e5b0852d56660104c8bd2503c34. It is recommended to apply a patch to fix this issue.

A vulnerability was found in code-projects Pharmacy Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?id=userProfileEdit of the component Update My Profile Page. The manipulation of the argument fname/lname/email with the input alert(1) leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kcm: Serialise kcm_sendmsg() for the same socket.<br /> <br /> syzkaller reported UAF in kcm_release(). [0]<br /> <br /> The scenario is<br /> <br /> 1. Thread A builds a skb with MSG_MORE and sets kcm-&gt;seq_skb.<br /> <br /> 2. Thread A resumes building skb from kcm-&gt;seq_skb but is blocked<br /> by sk_stream_wait_memory()<br /> <br /> 3. Thread B calls sendmsg() concurrently, finishes building kcm-&gt;seq_skb<br /> and puts the skb to the write queue<br /> <br /> 4. Thread A faces an error and finally frees skb that is already in the<br /> write queue<br /> <br /> 5. kcm_release() does double-free the skb in the write queue<br /> <br /> When a thread is building a MSG_MORE skb, another thread must not touch it.<br /> <br /> Let&amp;#39;s add a per-sk mutex and serialise kcm_sendmsg().<br /> <br /> [0]:<br /> BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]<br /> BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]<br /> BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]<br /> BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]<br /> BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691<br /> Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167<br /> <br /> CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br /> Call trace:<br /> dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291<br /> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x178/0x518 mm/kasan/report.c:488<br /> kasan_report+0xd8/0x138 mm/kasan/report.c:601<br /> __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381<br /> __skb_unlink include/linux/skbuff.h:2366 [inline]<br /> __skb_dequeue include/linux/skbuff.h:2385 [inline]<br /> __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]<br /> __skb_queue_purge include/linux/skbuff.h:3181 [inline]<br /> kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691<br /> __sock_release net/socket.c:659 [inline]<br /> sock_close+0xa4/0x1e8 net/socket.c:1421<br /> __fput+0x30c/0x738 fs/file_table.c:376<br /> ____fput+0x20/0x30 fs/file_table.c:404<br /> task_work_run+0x230/0x2e0 kernel/task_work.c:180<br /> exit_task_work include/linux/task_work.h:38 [inline]<br /> do_exit+0x618/0x1f64 kernel/exit.c:871<br /> do_group_exit+0x194/0x22c kernel/exit.c:1020<br /> get_signal+0x1500/0x15ec kernel/signal.c:2893<br /> do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249<br /> do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148<br /> exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]<br /> exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]<br /> el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713<br /> el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730<br /> el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598<br /> <br /> Allocated by task 6166:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x40/0x78 mm/kasan/common.c:68<br /> kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626<br /> unpoison_slab_object mm/kasan/common.c:314 [inline]<br /> __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340<br /> kasan_slab_alloc include/linux/kasan.h:201 [inline]<br /> slab_post_alloc_hook mm/slub.c:3813 [inline]<br /> slab_alloc_node mm/slub.c:3860 [inline]<br /> kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903<br /> __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641<br /> alloc_skb include/linux/skbuff.h:1296 [inline]<br /> kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> sock_sendmsg+0x220/0x2c0 net/socket.c:768<br /> splice_to_socket+0x7cc/0xd58 fs/splice.c:889<br /> do_splice_from fs/splice.c:941 [inline]<br /> direct_splice_actor+0xec/0x1d8 fs/splice.c:1164<br /> splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108<br /> do_splice_direct_actor <br /> ---truncated---