Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs<br /> <br /> The dreamcastcard-&gt;timer could schedule the spu_dma_work and the<br /> spu_dma_work could also arm the dreamcastcard-&gt;timer.<br /> <br /> When the snd_pcm_substream is closing, the aica_channel will be<br /> deallocated. But it could still be dereferenced in the worker<br /> thread. The reason is that del_timer() will return directly<br /> regardless of whether the timer handler is running or not and<br /> the worker could be rescheduled in the timer handler. As a result,<br /> the UAF bug will happen. The racy situation is shown below:<br /> <br /> (Thread 1) | (Thread 2)<br /> snd_aicapcm_pcm_close() |<br /> ... | run_spu_dma() //worker<br /> | mod_timer()<br /> flush_work() |<br /> del_timer() | aica_period_elapsed() //timer<br /> kfree(dreamcastcard-&gt;channel) | schedule_work()<br /> | run_spu_dma() //worker<br /> ... | dreamcastcard-&gt;channel-&gt; //USE<br /> <br /> In order to mitigate this bug and other possible corner cases,<br /> call mod_timer() conditionally in run_spu_dma(), then implement<br /> PCM sync_stop op to cancel both the timer and worker. The sync_stop<br /> op will be called from PCM core appropriately when needed.

WebMail in Axigen 10.x before 10.3.3.62 allows XSS via the image attachment viewer.

A vulnerability, which was classified as critical, was found in NUUO NVRmini 2 up to 3.0.8. Affected is an unknown function of the file /deletefile.php. The manipulation of the argument filename leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-258780.

Themify WordPress plugin before 1.4.4 does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

The Hubbub Lite WordPress plugin before 1.33.1 does not ensure that user have access to password protected post before displaying its content in a meta tag.

Themify WordPress plugin before 1.4.4 does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs

Themify WordPress plugin before 1.4.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

In da, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541781; Issue ID: ALPS08541781.

In da, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541784; Issue ID: ALPS08541784.

In audio, there is a possible out of bounds read due to an incorrect calculation of buffer size. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08024748; Issue ID: ALPS08029526.

In battery, there is a possible escalation of privilege due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08485622; Issue ID: ALPS08485622.

In battery, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08587865; Issue ID: ALPS08486807.