Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ch9200: fix uninitialised access during mii_nway_restart<br /> <br /> In mii_nway_restart() the code attempts to call<br /> mii-&gt;mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()<br /> utilises a local buffer called "buff", which is initialised<br /> with control_read(). However "buff" is conditionally<br /> initialised inside control_read():<br /> <br /> if (err == size) {<br /> memcpy(data, buf, size);<br /> }<br /> <br /> If the condition of "err == size" is not met, then<br /> "buff" remains uninitialised. Once this happens the<br /> uninitialised "buff" is accessed and returned during<br /> ch9200_mdio_read():<br /> <br /> return (buff[0] | buff[1]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race<br /> <br /> huge_pmd_unshare() drops a reference on a page table that may have<br /> previously been shared across processes, potentially turning it into a<br /> normal page table used in another process in which unrelated VMAs can<br /> afterwards be installed.<br /> <br /> If this happens in the middle of a concurrent gup_fast(), gup_fast() could<br /> end up walking the page tables of another process. While I don&amp;#39;t see any<br /> way in which that immediately leads to kernel memory corruption, it is<br /> really weird and unexpected.<br /> <br /> Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),<br /> just like we do in khugepaged when removing page tables for a THP<br /> collapse.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/hugetlb: unshare page tables during VMA split, not before<br /> <br /> Currently, __split_vma() triggers hugetlb page table unsharing through<br /> vm_ops-&gt;may_split(). This happens before the VMA lock and rmap locks are<br /> taken - which is too early, it allows racing VMA-locked page faults in our<br /> process and racing rmap walks from other processes to cause page tables to<br /> be shared again before we actually perform the split.<br /> <br /> Fix it by explicitly calling into the hugetlb unshare logic from<br /> __split_vma() in the same place where THP splitting also happens. At that<br /> point, both the VMA and the rmap(s) are write-locked.<br /> <br /> An annoying detail is that we can now call into the helper<br /> hugetlb_unshare_pmds() from two different locking contexts:<br /> <br /> 1. from hugetlb_split(), holding:<br /> - mmap lock (exclusively)<br /> - VMA lock<br /> - file rmap lock (exclusively)<br /> 2. hugetlb_unshare_all_pmds(), which I think is designed to be able to<br /> call us with only the mmap lock held (in shared mode), but currently<br /> only runs while holding mmap lock (exclusively) and VMA lock<br /> <br /> Backporting note:<br /> This commit fixes a racy protection that was introduced in commit<br /> b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that<br /> commit claimed to fix an issue introduced in 5.13, but it should actually<br /> also go all the way back.<br /> <br /> [jannh@google.com: v2]

The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.

The PT Project Notebooks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the wpnb_pto_new_users_add() function in versions 1.0.0 through 1.1.3. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The BeeTeam368 Extensions plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.3.4 via the handle_remove_temp_file() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory. This vulnerability can be used to delete the wp-config.php file, which can be leveraged into a site takeover.

The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hotspot-hover’ parameter in all versions up to, and including, 8.5.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The BeeTeam368 Extensions Pro plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.3.4 via the handle_live_fn() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory. This vulnerability can be used to delete the wp-config.php file, which can be leveraged into a site takeover.

Rejected reason: Not used

Rejected reason: Not used

Rejected reason: Not used