Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm<br /> <br /> When send a broadcast packet to a tap device, which was added to a bridge,<br /> br_nf_local_in() is called to confirm the conntrack. If another conntrack<br /> with the same hash value is added to the hash table, which can be<br /> triggered by a normal packet to a non-bridge device, the below warning<br /> may happen.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200<br /> CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)<br /> RIP: 0010:br_nf_local_in+0x168/0x200<br /> Call Trace:<br /> <br /> nf_hook_slow+0x3e/0xf0<br /> br_pass_frame_up+0x103/0x180<br /> br_handle_frame_finish+0x2de/0x5b0<br /> br_nf_hook_thresh+0xc0/0x120<br /> br_nf_pre_routing_finish+0x168/0x3a0<br /> br_nf_pre_routing+0x237/0x5e0<br /> br_handle_frame+0x1ec/0x3c0<br /> __netif_receive_skb_core+0x225/0x1210<br /> __netif_receive_skb_one_core+0x37/0xa0<br /> netif_receive_skb+0x36/0x160<br /> tun_get_user+0xa54/0x10c0<br /> tun_chr_write_iter+0x65/0xb0<br /> vfs_write+0x305/0x410<br /> ksys_write+0x60/0xd0<br /> do_syscall_64+0xa4/0x260<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> To solve the hash conflict, nf_ct_resolve_clash() try to merge the<br /> conntracks, and update skb-&gt;_nfct. However, br_nf_local_in() still use the<br /> old ct from local variable &amp;#39;nfct&amp;#39; after confirm(), which leads to this<br /> warning.<br /> <br /> If confirm() does not insert the conntrack entry and return NF_DROP, the<br /> warning may also occur. There is no need to reserve the WARN_ON_ONCE, just<br /> remove it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mwifiex: Initialize the chan_stats array to zero<br /> <br /> The adapter-&gt;chan_stats[] array is initialized in<br /> mwifiex_init_channel_scan_gap() with vmalloc(), which doesn&amp;#39;t zero out<br /> memory. The array is filled in mwifiex_update_chan_statistics()<br /> and then the user can query the data in mwifiex_cfg80211_dump_survey().<br /> <br /> There are two potential issues here. What if the user calls<br /> mwifiex_cfg80211_dump_survey() before the data has been filled in.<br /> Also the mwifiex_update_chan_statistics() function doesn&amp;#39;t necessarily<br /> initialize the whole array. Since the array was not initialized at<br /> the start that could result in an information leak.<br /> <br /> Also this array is pretty small. It&amp;#39;s a maximum of 900 bytes so it&amp;#39;s<br /> more appropriate to use kcalloc() instead vmalloc().

The Custom Searchable Data Entry System plugin for WordPress is vulnerable to unauthenticated database wiping in versions up to, and including 1.7.1, due to a missing capability check and lack of sufficient validation on the ghazale_sds_delete_entries_table_row() function. This makes it possible for unauthenticated attackers to completely wipe database tables such as wp_users.

The Schema &amp; Structured Data for WP &amp; AMP WordPress plugin before 1.50 does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored XSS attacks via post comments.

The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view information like full paths and full paths to backup files information contained in the exposed log files.

The Block For Mailchimp – Easy Mailchimp Form Integration plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.12 via the mcbSubmit_Form_Data(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.

Rejected reason: Not used

Rejected reason: Not used

Rejected reason: Not used

Rejected reason: Not used