Vulnerabilidades

*** Pendiente de traducción *** The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

*** Pendiente de traducción *** The onOffice for WP-Websites plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

*** Pendiente de traducción *** The Demo Import Kit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.0 via the import functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

*** Pendiente de traducción *** This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0.<br /> <br /> <br /> <br /> Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.<br /> <br /> When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.<br /> <br /> This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.<br /> <br /> <br /> To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or<br /> <br /> enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: target_core_configfs: Add length check to avoid buffer overflow<br /> <br /> A buffer overflow arises from the usage of snprintf to write into the<br /> buffer "buf" in target_lu_gp_members_show function located in<br /> /drivers/target/target_core_configfs.c. This buffer is allocated with<br /> size LU_GROUP_NAME_BUF (256 bytes).<br /> <br /> snprintf(...) formats multiple strings into buf with the HBA name<br /> (hba-&gt;hba_group.cg_item), a slash character, a devicename (dev-&gt;<br /> dev_group.cg_item) and a newline character, the total formatted string<br /> length may exceed the buffer size of 256 bytes.<br /> <br /> Since snprintf() returns the total number of bytes that would have been<br /> written (the length of %s/%sn ), this value may exceed the buffer length<br /> (256 bytes) passed to memcpy(), this will ultimately cause function<br /> memcpy reporting a buffer overflow error.<br /> <br /> An additional check of the return value of snprintf() can avoid this<br /> buffer overflow.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-mq: fix blk_mq_tags double free while nr_requests grown<br /> <br /> In the case user trigger tags grow by queue sysfs attribute nr_requests,<br /> hctx-&gt;sched_tags will be freed directly and replaced with a new<br /> allocated tags, see blk_mq_tag_update_depth().<br /> <br /> The problem is that hctx-&gt;sched_tags is from elevator-&gt;et-&gt;tags, while<br /> et-&gt;tags is still the freed tags, hence later elevator exit will try to<br /> free the tags again, causing kernel panic.<br /> <br /> Fix this problem by replacing et-&gt;tags with new allocated tags as well.<br /> <br /> Noted there are still some long term problems that will require some<br /> refactor to be fixed thoroughly[1].<br /> <br /> [1] https://lore.kernel.org/all/20250815080216.410665-1-yukuai1@huaweicloud.com/

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()<br /> <br /> There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to<br /> access already freed skb_data:<br /> <br /> BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110<br /> <br /> CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025<br /> Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]<br /> <br /> Use-after-free write at 0x0000000020309d9d (in kfence-#251):<br /> rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110<br /> rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338<br /> rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979<br /> rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165<br /> rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141<br /> rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012<br /> rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059<br /> rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758<br /> process_one_work kernel/workqueue.c:3241<br /> worker_thread kernel/workqueue.c:3400<br /> kthread kernel/kthread.c:463<br /> ret_from_fork arch/x86/kernel/process.c:154<br /> ret_from_fork_asm arch/x86/entry/entry_64.S:258<br /> <br /> kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache<br /> <br /> allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):<br /> __alloc_skb net/core/skbuff.c:659<br /> __netdev_alloc_skb net/core/skbuff.c:734<br /> ieee80211_nullfunc_get net/mac80211/tx.c:5844<br /> rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431<br /> rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338<br /> rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979<br /> rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165<br /> rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194<br /> rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012<br /> rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059<br /> rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758<br /> process_one_work kernel/workqueue.c:3241<br /> worker_thread kernel/workqueue.c:3400<br /> kthread kernel/kthread.c:463<br /> ret_from_fork arch/x86/kernel/process.c:154<br /> ret_from_fork_asm arch/x86/entry/entry_64.S:258<br /> <br /> freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):<br /> ieee80211_tx_status_skb net/mac80211/status.c:1117<br /> rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564<br /> rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651<br /> rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676<br /> rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238<br /> __napi_poll net/core/dev.c:7495<br /> net_rx_action net/core/dev.c:7557 net/core/dev.c:7684<br /> handle_softirqs kernel/softirq.c:580<br /> do_softirq.part.0 kernel/softirq.c:480<br /> __local_bh_enable_ip kernel/softirq.c:407<br /> rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927<br /> irq_thread_fn kernel/irq/manage.c:1133<br /> irq_thread kernel/irq/manage.c:1257<br /> kthread kernel/kthread.c:463<br /> ret_from_fork arch/x86/kernel/process.c:154<br /> ret_from_fork_asm arch/x86/entry/entry_64.S:258<br /> <br /> It is a consequence of a race between the waiting and the signaling side<br /> of the completion:<br /> <br /> Waiting thread Completing thread<br /> <br /> rtw89_core_tx_kick_off_and_wait()<br /> rcu_assign_pointer(skb_data-&gt;wait, wait)<br /> /* start waiting */<br /> wait_for_completion_timeout()<br /> rtw89_pci_tx_status()<br /> rtw89_core_tx_wait_complete()<br /> rcu_read_lock()<br /> /* signals completion and<br /> <br /> ---truncated---

*** Pendiente de traducción *** A path traversal issue exists in WXR9300BE6P series firmware versions prior to Ver.1.10. Arbitrary file may be altered by an administrative user who logs in to the affected product. Moreover, arbitrary OS command may be executed via some file alteration.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Check the helper function is valid in get_helper_proto<br /> <br /> kernel test robot reported verifier bug [1] where the helper func<br /> pointer could be NULL due to disabled config option.<br /> <br /> As Alexei suggested we could check on that in get_helper_proto<br /> directly. Marking tail_call helper func with BPF_PTR_POISON,<br /> because it is unused by design.<br /> <br /> [1] https://lore.kernel.org/oe-lkp/202507160818.68358831-lkp@intel.com

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()<br /> <br /> If ab-&gt;fw.m3_data points to data, then fw pointer remains null.<br /> Further, if m3_mem is not allocated, then fw is dereferenced to be<br /> passed to ath11k_err function.<br /> <br /> Replace fw-&gt;size by m3_len.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: swap: check for stable address space before operating on the VMA<br /> <br /> It is possible to hit a zero entry while traversing the vmas in unuse_mm()<br /> called from swapoff path and accessing it causes the OOPS:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address<br /> 0000000000000446--&gt; Loading the memory from offset 0x40 on the<br /> XA_ZERO_ENTRY as address.<br /> Mem abort info:<br /> ESR = 0x0000000096000005<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x05: level 1 translation fault<br /> <br /> The issue is manifested from the below race between the fork() on a<br /> process and swapoff:<br /> fork(dup_mmap()) swapoff(unuse_mm)<br /> --------------- -----------------<br /> 1) Identical mtree is built using<br /> __mt_dup().<br /> <br /> 2) copy_pte_range()--&gt;<br /> copy_nonpresent_pte():<br /> The dst mm is added into the<br /> mmlist to be visible to the<br /> swapoff operation.<br /> <br /> 3) Fatal signal is sent to the parent<br /> process(which is the current during the<br /> fork) thus skip the duplication of the<br /> vmas and mark the vma range with<br /> XA_ZERO_ENTRY as a marker for this process<br /> that helps during exit_mmap().<br /> <br /> 4) swapoff is tried on the<br /> &amp;#39;mm&amp;#39; added to the &amp;#39;mmlist&amp;#39; as<br /> part of the 2.<br /> <br /> 5) unuse_mm(), that iterates<br /> through the vma&amp;#39;s of this &amp;#39;mm&amp;#39;<br /> will hit the non-NULL zero entry<br /> and operating on this zero entry<br /> as a vma is resulting into the<br /> oops.<br /> <br /> The proper fix would be around not exposing this partially-valid tree to<br /> others when droping the mmap lock, which is being solved with [1]. A<br /> simpler solution would be checking for MMF_UNSTABLE, as it is set if<br /> mm_struct is not fully initialized in dup_mmap().<br /> <br /> Thanks to Liam/Lorenzo/David for all the suggestions in fixing this<br /> issue.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: rc: fix races with imon_disconnect()<br /> <br /> Syzbot reports a KASAN issue as below:<br /> BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]<br /> BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627<br /> Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465<br /> <br /> CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:317 [inline]<br /> print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433<br /> kasan_report+0xb1/0x1e0 mm/kasan/report.c:495<br /> __create_pipe include/linux/usb.h:1945 [inline]<br /> send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627<br /> vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991<br /> vfs_write+0x2d7/0xdd0 fs/read_write.c:576<br /> ksys_write+0x127/0x250 fs/read_write.c:631<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> The iMON driver improperly releases the usb_device reference in<br /> imon_disconnect without coordinating with active users of the<br /> device.<br /> <br /> Specifically, the fields usbdev_intf0 and usbdev_intf1 are not<br /> protected by the users counter (ictx-&gt;users). During probe,<br /> imon_init_intf0 or imon_init_intf1 increments the usb_device<br /> reference count depending on the interface. However, during<br /> disconnect, usb_put_dev is called unconditionally, regardless of<br /> actual usage.<br /> <br /> As a result, if vfd_write or other operations are still in<br /> progress after disconnect, this can lead to a use-after-free of<br /> the usb_device pointer.<br /> <br /> Thread 1 vfd_write Thread 2 imon_disconnect<br /> ...<br /> if<br /> usb_put_dev(ictx-&gt;usbdev_intf0)<br /> else<br /> usb_put_dev(ictx-&gt;usbdev_intf1)<br /> ...<br /> while<br /> send_packet<br /> if<br /> pipe = usb_sndintpipe(<br /> ictx-&gt;usbdev_intf0) UAF<br /> else<br /> pipe = usb_sndctrlpipe(<br /> ictx-&gt;usbdev_intf0, 0) UAF<br /> <br /> Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by<br /> checking ictx-&gt;disconnected in all writer paths. Add early return<br /> with -ENODEV in send_packet(), vfd_write(), lcd_write() and<br /> display_open() if the device is no longer present.<br /> <br /> Set and read ictx-&gt;disconnected under ictx-&gt;lock to ensure memory<br /> synchronization. Acquire the lock in imon_disconnect() before setting<br /> the flag to synchronize with any ongoing operations.<br /> <br /> Ensure writers exit early and safely after disconnect before the USB<br /> core proceeds with cleanup.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.