Vulnerabilidades

*** Pendiente de traducción *** Authorization Bypass Through User-Controlled Key vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Membership For WooCommerce: from n/a through

*** Pendiente de traducción *** Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through

*** Pendiente de traducción *** Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Premium Addons for Elementor: from n/a through

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: arm_sdei: Fix sleep from invalid context BUG<br /> <br /> Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra<br /> triggers:<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46<br /> in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0<br /> preempt_count: 0, expected: 0<br /> RCU nest depth: 0, expected: 0<br /> 3 locks held by cpuhp/0/24:<br /> #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248<br /> #1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248<br /> #2: ffffda3021c711f0 (sdei_list_lock){....}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130<br /> irq event stamp: 36<br /> hardirqs last enabled at (35): [] finish_task_switch+0xb4/0x2b0<br /> hardirqs last disabled at (36): [] cpuhp_thread_fun+0x21c/0x248<br /> softirqs last enabled at (0): [] copy_process+0x63c/0x1ac0<br /> softirqs last disabled at (0): [] 0x0<br /> CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[...]<br /> Hardware name: WIWYNN Mt.Jade Server [...]<br /> Call trace:<br /> dump_backtrace+0x114/0x120<br /> show_stack+0x20/0x70<br /> dump_stack_lvl+0x9c/0xd8<br /> dump_stack+0x18/0x34<br /> __might_resched+0x188/0x228<br /> rt_spin_lock+0x70/0x120<br /> sdei_cpuhp_up+0x3c/0x130<br /> cpuhp_invoke_callback+0x250/0xf08<br /> cpuhp_thread_fun+0x120/0x248<br /> smpboot_thread_fn+0x280/0x320<br /> kthread+0x130/0x140<br /> ret_from_fork+0x10/0x20<br /> <br /> sdei_cpuhp_up() is called in the STARTING hotplug section,<br /> which runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry<br /> instead to execute the cpuhp cb later, with preemption enabled.<br /> <br /> SDEI originally got its own cpuhp slot to allow interacting<br /> with perf. It got superseded by pNMI and this early slot is not<br /> relevant anymore. [1]<br /> <br /> Some SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the<br /> calling CPU. It is checked that preemption is disabled for them.<br /> _ONLINE cpuhp cb are executed in the &amp;#39;per CPU hotplug thread&amp;#39;.<br /> Preemption is enabled in those threads, but their cpumask is limited<br /> to 1 CPU.<br /> Move &amp;#39;WARN_ON_ONCE(preemptible())&amp;#39; statements so that SDEI cpuhp cb<br /> don&amp;#39;t trigger them.<br /> <br /> Also add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call<br /> which acts on the calling CPU.<br /> <br /> [1]:<br /> https://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: Fix null-ptr-deref in unix_stream_sendpage().<br /> <br /> Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage()<br /> with detailed analysis and a nice repro.<br /> <br /> unix_stream_sendpage() tries to add data to the last skb in the peer&amp;#39;s<br /> recv queue without locking the queue.<br /> <br /> If the peer&amp;#39;s FD is passed to another socket and the socket&amp;#39;s FD is<br /> passed to the peer, there is a loop between them. If we close both<br /> sockets without receiving FD, the sockets will be cleaned up by garbage<br /> collection.<br /> <br /> The garbage collection iterates such sockets and unlinks skb with<br /> FD from the socket&amp;#39;s receive queue under the queue&amp;#39;s lock.<br /> <br /> So, there is a race where unix_stream_sendpage() could access an skb<br /> locklessly that is being released by garbage collection, resulting in<br /> use-after-free.<br /> <br /> To avoid the issue, unix_stream_sendpage() must lock the peer&amp;#39;s recv<br /> queue.<br /> <br /> Note the issue does not exist in 6.5+ thanks to the recent sendpage()<br /> refactoring.<br /> <br /> This patch is originally written by Linus Torvalds.<br /> <br /> BUG: unable to handle page fault for address: ffff988004dd6870<br /> PF: supervisor read access in kernel mode<br /> PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> PREEMPT SMP PTI<br /> CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0<br /> Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44<br /> RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246<br /> RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284<br /> RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0<br /> RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003<br /> R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00<br /> R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8<br /> FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x1a/0x1f<br /> ? page_fault_oops+0xa9/0x1e0<br /> ? fixup_exception+0x1d/0x310<br /> ? exc_page_fault+0xa8/0x150<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? kmem_cache_alloc_node+0xa2/0x1e0<br /> ? __alloc_skb+0x16c/0x1e0<br /> __alloc_skb+0x16c/0x1e0<br /> alloc_skb_with_frags+0x48/0x1e0<br /> sock_alloc_send_pskb+0x234/0x270<br /> unix_stream_sendmsg+0x1f5/0x690<br /> sock_sendmsg+0x5d/0x60<br /> ____sys_sendmsg+0x210/0x260<br /> ___sys_sendmsg+0x83/0xd0<br /> ? kmem_cache_alloc+0xc6/0x1c0<br /> ? avc_disable+0x20/0x20<br /> ? percpu_counter_add_batch+0x53/0xc0<br /> ? alloc_empty_file+0x5d/0xb0<br /> ? alloc_file+0x91/0x170<br /> ? alloc_file_pseudo+0x94/0x100<br /> ? __fget_light+0x9f/0x120<br /> __sys_sendmsg+0x54/0xa0<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x69/0xd3<br /> RIP: 0033:0x7f174d639a7d<br /> Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48<br /> RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d<br /> RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007<br /> RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff<br /> R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28<br /> R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000<br />

*** Pendiente de traducción *** Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in 10up Eight Day Week Print Workflow eight-day-week-print-workflow allows Retrieve Embedded Sensitive Data.This issue affects Eight Day Week Print Workflow: from n/a through

*** Pendiente de traducción *** Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS.This issue affects Evergreen Post Tweeter: from n/a through

*** Pendiente de traducción *** Server-Side Request Forgery (SSRF) vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Server Side Request Forgery.This issue affects 6Storage Rentals: from n/a through

*** Pendiente de traducción *** Cross-Site Request Forgery (CSRF) vulnerability in tmtraderunner Trade Runner traderunner allows Cross Site Request Forgery.This issue affects Trade Runner: from n/a through

*** Pendiente de traducción *** Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in TouchOfTech Draft Notify draft-notify allows Stored XSS.This issue affects Draft Notify: from n/a through

*** Pendiente de traducción *** Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd: Fix an out of bounds error in BIOS parser<br /> <br /> The array is hardcoded to 8 in atomfirmware.h, but firmware provides<br /> a bigger one sometimes. Deferencing the larger array causes an out<br /> of bounds error.<br /> <br /> commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error<br /> in bios parser") fixed some of this, but there are two other cases<br /> not covered by it. Fix those as well.