Vulnerabilities

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac WP Wall wp-wall allows Reflected XSS.This issue affects WP Wall: from n/a through

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dsrodzin Email Address Security by WebEmailProtector webemailprotector allows Stored XSS.This issue affects Email Address Security by WebEmailProtector: from n/a through

Incorrect Privilege Assignment vulnerability in aonetheme Service Finder Booking sf-booking allows Privilege Escalation.This issue affects Service Finder Booking: from n/a through

A vulnerability was found in Monitorr up to 1.7.6m. It has been classified as problematic. This affects an unknown part of the file assets/config/_installation/mkdbajax.php of the component Installer. The manipulation of the argument datadir leads to improper input validation. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix use-after-free in binderfs_evict_inode()<br /> <br /> Running &amp;#39;stress-ng --binderfs 16 --timeout 300&amp;#39; under KASAN-enabled<br /> kernel, I&amp;#39;ve noticed the following:<br /> <br /> BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0<br /> Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699<br /> <br /> CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x1c2/0x2a0<br /> ? __pfx_dump_stack_lvl+0x10/0x10<br /> ? __pfx__printk+0x10/0x10<br /> ? __pfx_lock_release+0x10/0x10<br /> ? __virt_addr_valid+0x18c/0x540<br /> ? __virt_addr_valid+0x469/0x540<br /> print_report+0x155/0x840<br /> ? __virt_addr_valid+0x18c/0x540<br /> ? __virt_addr_valid+0x469/0x540<br /> ? __phys_addr+0xba/0x170<br /> ? binderfs_evict_inode+0x1de/0x2d0<br /> kasan_report+0x147/0x180<br /> ? binderfs_evict_inode+0x1de/0x2d0<br /> binderfs_evict_inode+0x1de/0x2d0<br /> ? __pfx_binderfs_evict_inode+0x10/0x10<br /> evict+0x524/0x9f0<br /> ? __pfx_lock_release+0x10/0x10<br /> ? __pfx_evict+0x10/0x10<br /> ? do_raw_spin_unlock+0x4d/0x210<br /> ? _raw_spin_unlock+0x28/0x50<br /> ? iput+0x697/0x9b0<br /> __dentry_kill+0x209/0x660<br /> ? shrink_kill+0x8d/0x2c0<br /> shrink_kill+0xa9/0x2c0<br /> shrink_dentry_list+0x2e0/0x5e0<br /> shrink_dcache_parent+0xa2/0x2c0<br /> ? __pfx_shrink_dcache_parent+0x10/0x10<br /> ? __pfx_lock_release+0x10/0x10<br /> ? __pfx_do_raw_spin_lock+0x10/0x10<br /> do_one_tree+0x23/0xe0<br /> shrink_dcache_for_umount+0xa0/0x170<br /> generic_shutdown_super+0x67/0x390<br /> kill_litter_super+0x76/0xb0<br /> binderfs_kill_super+0x44/0x90<br /> deactivate_locked_super+0xb9/0x130<br /> cleanup_mnt+0x422/0x4c0<br /> ? lockdep_hardirqs_on+0x9d/0x150<br /> task_work_run+0x1d2/0x260<br /> ? __pfx_task_work_run+0x10/0x10<br /> resume_user_mode_work+0x52/0x60<br /> syscall_exit_to_user_mode+0x9a/0x120<br /> do_syscall_64+0x103/0x210<br /> ? asm_sysvec_apic_timer_interrupt+0x1a/0x20<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0xcac57b<br /> Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8<br /> RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br /> RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850<br /> RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff<br /> R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718<br /> R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830<br /> <br /> <br /> Allocated by task 1705:<br /> kasan_save_track+0x3e/0x80<br /> __kasan_kmalloc+0x8f/0xa0<br /> __kmalloc_cache_noprof+0x213/0x3e0<br /> binderfs_binder_device_create+0x183/0xa80<br /> binder_ctl_ioctl+0x138/0x190<br /> __x64_sys_ioctl+0x120/0x1b0<br /> do_syscall_64+0xf6/0x210<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 1705:<br /> kasan_save_track+0x3e/0x80<br /> kasan_save_free_info+0x46/0x50<br /> __kasan_slab_free+0x62/0x70<br /> kfree+0x194/0x440<br /> evict+0x524/0x9f0<br /> do_unlinkat+0x390/0x5b0<br /> __x64_sys_unlink+0x47/0x50<br /> do_syscall_64+0xf6/0x210<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> This &amp;#39;stress-ng&amp;#39; workload causes the concurrent deletions from<br /> &amp;#39;binder_devices&amp;#39; and so requires full-featured synchronization<br /> to prevent list corruption.<br /> <br /> I&amp;#39;ve found this issue independently but pretty sure that syzbot did<br /> the same, so Reported-by: and Closes: should be applicable here as well.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix yet another UAF in binder_devices<br /> <br /> Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices")<br /> addressed a use-after-free where devices could be released without first<br /> being removed from the binder_devices list. However, there is a similar<br /> path in binder_free_proc() that was missed:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100<br /> Write of size 8 at addr ffff0000c773b900 by task umount/467<br /> CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> binder_remove_device+0xd4/0x100<br /> binderfs_evict_inode+0x230/0x2f0<br /> evict+0x25c/0x5dc<br /> iput+0x304/0x480<br /> dentry_unlink_inode+0x208/0x46c<br /> __dentry_kill+0x154/0x530<br /> [...]<br /> <br /> Allocated by task 463:<br /> __kmalloc_cache_noprof+0x13c/0x324<br /> binderfs_binder_device_create.isra.0+0x138/0xa60<br /> binder_ctl_ioctl+0x1ac/0x230<br /> [...]<br /> <br /> Freed by task 215:<br /> kfree+0x184/0x31c<br /> binder_proc_dec_tmpref+0x33c/0x4ac<br /> binder_deferred_func+0xc10/0x1108<br /> process_one_work+0x520/0xba4<br /> [...]<br /> ==================================================================<br /> <br /> Call binder_remove_device() within binder_free_proc() to ensure the<br /> device is removed from the binder_devices list before being kfreed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thunderbolt: Do not double dequeue a configuration request<br /> <br /> Some of our devices crash in tb_cfg_request_dequeue():<br /> <br /> general protection fault, probably for non-canonical address 0xdead000000000122<br /> <br /> CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65<br /> RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0<br /> Call Trace:<br /> <br /> ? tb_cfg_request_dequeue+0x2d/0xa0<br /> tb_cfg_request_work+0x33/0x80<br /> worker_thread+0x386/0x8f0<br /> kthread+0xed/0x110<br /> ret_from_fork+0x38/0x50<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> The circumstances are unclear, however, the theory is that<br /> tb_cfg_request_work() can be scheduled twice for a request:<br /> first time via frame.callback from ring_work() and second<br /> time from tb_cfg_request(). Both times kworkers will execute<br /> tb_cfg_request_dequeue(), which results in double list_del()<br /> from the ctl-&gt;request_queue (the list poison deference hints<br /> at it: 0xdead000000000122).<br /> <br /> Do not dequeue requests that don&amp;#39;t have TB_CFG_REQUEST_ACTIVE<br /> bit set.

The Sharable Password Protected Posts before version 1.1.1 allows access to password protected posts by providing a secret key in a GET parameter. However, the key is exposed by the REST API.

A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.

Cross-Site Request Forgery (CSRF) vulnerability in Tony Zeoli Radio Station radio-station allows Cross Site Request Forgery.This issue affects Radio Station: from n/a through

Cross-Site Request Forgery (CSRF) vulnerability in Trust Payments Trust Payments Gateway for WooCommerce (JavaScript Library) trust-payments-gateway-3ds2 allows Cross Site Request Forgery.This issue affects Trust Payments Gateway for WooCommerce (JavaScript Library): from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in gopiplus Card flip image slideshow card-flip-image-slideshow allows DOM-Based XSS.This issue affects Card flip image slideshow: from n/a through