Vulnerabilities

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aThemes aThemes Addons for Elementor allows Stored XSS.This issue affects aThemes Addons for Elementor: from n/a through 1.0.8.

Missing Authorization vulnerability in smackcoders AIO Performance Profiler, Monitor, Optimize, Compress & Debug allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO Performance Profiler, Monitor, Optimize, Compress & Debug: from n/a through 1.2.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plugin Devs Blog, Posts and Category Filter for Elementor allows Stored XSS.This issue affects Blog, Posts and Category Filter for Elementor: from n/a through 2.0.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weDevs WP Project Manager wedevs-project-manager allows Stored XSS.This issue affects WP Project Manager: from n/a through 2.6.22.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kendysond Payment Forms for Paystack allows SQL Injection.This issue affects Payment Forms for Paystack: from n/a through 4.0.1.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipvlan: ensure network headers are in skb linear part<br /> <br /> syzbot found that ipvlan_process_v6_outbound() was assuming<br /> the IPv6 network header isis present in skb-&gt;head [1]<br /> <br /> Add the needed pskb_network_may_pull() calls for both<br /> IPv4 and IPv6 handlers.<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47<br /> __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47<br /> ipv6_addr_type include/net/ipv6.h:555 [inline]<br /> ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]<br /> ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651<br /> ip6_route_output include/net/ip6_route.h:93 [inline]<br /> ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476<br /> ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]<br /> ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]<br /> ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]<br /> ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671<br /> ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223<br /> __netdev_start_xmit include/linux/netdevice.h:5150 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:5159 [inline]<br /> xmit_one net/core/dev.c:3735 [inline]<br /> dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751<br /> sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343<br /> qdisc_restart net/sched/sch_generic.c:408 [inline]<br /> __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416<br /> qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127<br /> net_tx_action+0x78b/0x940 net/core/dev.c:5484<br /> handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561<br /> __do_softirq+0x14/0x1a kernel/softirq.c:595<br /> do_softirq+0x9a/0x100 kernel/softirq.c:462<br /> __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389<br /> local_bh_enable include/linux/bottom_half.h:33 [inline]<br /> rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]<br /> __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611<br /> dev_queue_xmit include/linux/netdevice.h:3311 [inline]<br /> packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276<br /> packet_snd net/packet/af_packet.c:3132 [inline]<br /> packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164<br /> sock_sendmsg_nosec net/socket.c:718 [inline]

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in ThemeHunk Vayu Blocks – Gutenberg Blocks for WordPress &amp; WooCommerce allows Stored XSS.This issue affects Vayu Blocks – Gutenberg Blocks for WordPress &amp; WooCommerce: from n/a through 1.2.1.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: better track kernel sockets lifetime<br /> <br /> While kernel sockets are dismantled during pernet_operations-&gt;exit(),<br /> their freeing can be delayed by any tx packets still held in qdisc<br /> or device queues, due to skb_set_owner_w() prior calls.<br /> <br /> This then trigger the following warning from ref_tracker_dir_exit() [1]<br /> <br /> To fix this, make sure that kernel sockets own a reference on net-&gt;passive.<br /> <br /> Add sk_net_refcnt_upgrade() helper, used whenever a kernel socket<br /> is converted to a refcounted one.<br /> <br /> [1]<br /> <br /> [ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at<br /> [ 136.263918][ T35] sk_alloc+0x2b3/0x370<br /> [ 136.263918][ T35] inet6_create+0x6ce/0x10f0<br /> [ 136.263918][ T35] __sock_create+0x4c0/0xa30<br /> [ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250<br /> [ 136.263918][ T35] igmp6_net_init+0x39/0x390<br /> [ 136.263918][ T35] ops_init+0x31e/0x590<br /> [ 136.263918][ T35] setup_net+0x287/0x9e0<br /> [ 136.263918][ T35] copy_net_ns+0x33f/0x570<br /> [ 136.263918][ T35] create_new_namespaces+0x425/0x7b0<br /> [ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180<br /> [ 136.263918][ T35] ksys_unshare+0x57d/0xa70<br /> [ 136.263918][ T35] __x64_sys_unshare+0x38/0x40<br /> [ 136.263918][ T35] do_syscall_64+0xf3/0x230<br /> [ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 136.263918][ T35]<br /> [ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at<br /> [ 136.343488][ T35] sk_alloc+0x2b3/0x370<br /> [ 136.343488][ T35] inet6_create+0x6ce/0x10f0<br /> [ 136.343488][ T35] __sock_create+0x4c0/0xa30<br /> [ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250<br /> [ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0<br /> [ 136.343488][ T35] ops_init+0x31e/0x590<br /> [ 136.343488][ T35] setup_net+0x287/0x9e0<br /> [ 136.343488][ T35] copy_net_ns+0x33f/0x570<br /> [ 136.343488][ T35] create_new_namespaces+0x425/0x7b0<br /> [ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180<br /> [ 136.343488][ T35] ksys_unshare+0x57d/0xa70<br /> [ 136.343488][ T35] __x64_sys_unshare+0x38/0x40<br /> [ 136.343488][ T35] do_syscall_64+0xf3/0x230<br /> [ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: Fix deinitializing VF in error path<br /> <br /> If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees<br /> all VFs without removing them from snapshot PF-VF mailbox list, leading<br /> to list corruption.<br /> <br /> Reproducer:<br /> devlink dev eswitch set $PF1_PCI mode switchdev<br /> ip l s $PF1 up<br /> ip l s $PF1 promisc on<br /> sleep 1<br /> echo 1 &gt; /sys/class/net/$PF1/device/sriov_numvfs<br /> sleep 1<br /> echo 1 &gt; /sys/class/net/$PF1/device/sriov_numvfs<br /> <br /> Trace (minimized):<br /> list_add corruption. next-&gt;prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330).<br /> kernel BUG at lib/list_debug.c:29!<br /> RIP: 0010:__list_add_valid_or_report+0xa6/0x100<br /> ice_mbx_init_vf_info+0xa7/0x180 [ice]<br /> ice_initialize_vf_entry+0x1fa/0x250 [ice]<br /> ice_sriov_configure+0x8d7/0x1520 [ice]<br /> ? __percpu_ref_switch_mode+0x1b1/0x5d0<br /> ? __pfx_ice_sriov_configure+0x10/0x10 [ice]<br /> <br /> Sometimes a KASAN report can be seen instead with a similar stack trace:<br /> BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100<br /> <br /> VFs are added to this list in ice_mbx_init_vf_info(), but only removed<br /> in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is<br /> also being called in other places where VFs are being removed (including<br /> ice_free_vfs() itself).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: fix checksums set in idpf_rx_rsc()<br /> <br /> idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header<br /> is not set yet.<br /> <br /> This triggers the following warning for CONFIG_DEBUG_NET=y builds.<br /> <br /> DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb))<br /> <br /> [ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf<br /> [ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth<br /> [ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697<br /> [ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN<br /> [ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf<br /> [ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748)<br /> [ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf<br /> [ 69.261687] ? report_bug (lib/bug.c:?)<br /> [ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285)<br /> [ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309)<br /> [ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)<br /> [ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf<br /> [ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf<br /> [ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf<br /> [ 69.261712] __napi_poll (net/core/dev.c:7194)<br /> [ 69.261716] net_rx_action (net/core/dev.c:7265)<br /> [ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293)<br /> [ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288)<br /> [ 69.261726] handle_softirqs (kernel/softirq.c:561)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers<br /> <br /> While using nvme target with use_srq on, below kernel panic is noticed.<br /> <br /> [ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514)<br /> [ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI<br /> ..<br /> [ 566.393799] <br /> [ 566.393807] ? __die_body+0x1a/0x60<br /> [ 566.393823] ? die+0x38/0x60<br /> [ 566.393835] ? do_trap+0xe4/0x110<br /> [ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]<br /> [ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]<br /> [ 566.393881] ? do_error_trap+0x7c/0x120<br /> [ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]<br /> [ 566.393911] ? exc_divide_error+0x34/0x50<br /> [ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]<br /> [ 566.393939] ? asm_exc_divide_error+0x16/0x20<br /> [ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]<br /> [ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re]<br /> [ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re]<br /> [ 566.394057] ? srso_return_thunk+0x5/0x5f<br /> [ 566.394068] ? __init_swait_queue_head+0x4a/0x60<br /> [ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core]<br /> [ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma]<br /> [ 566.394174] ? lock_release+0x22c/0x3f0<br /> [ 566.394187] ? srso_return_thunk+0x5/0x5f<br /> <br /> Page size and shift info is set only for the user space SRQs.<br /> Set page size and page shift for kernel space SRQs also.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx5: Fix implicit ODP hang on parent deregistration<br /> <br /> Fix the destroy_unused_implicit_child_mr() to prevent hanging during<br /> parent deregistration as of below [1].<br /> <br /> Upon entering destroy_unused_implicit_child_mr(), the reference count<br /> for the implicit MR parent is incremented using:<br /> refcount_inc_not_zero().<br /> <br /> A corresponding decrement must be performed if<br /> free_implicit_child_mr_work() is not called.<br /> <br /> The code has been updated to properly manage the reference count that<br /> was incremented.<br /> <br /> [1]<br /> INFO: task python3:2157 blocked for more than 120 seconds.<br /> Not tainted 6.12.0-rc7+ #1633<br /> "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> task:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000<br /> Call Trace:<br /> <br /> __schedule+0x420/0xd30<br /> schedule+0x47/0x130<br /> __mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib]<br /> ? __pfx_autoremove_wake_function+0x10/0x10<br /> ib_dereg_mr_user+0x5f/0x120 [ib_core]<br /> ? lock_release+0xc6/0x280<br /> destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]<br /> uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]<br /> uobj_destroy+0x3f/0x70 [ib_uverbs]<br /> ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]<br /> ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]<br /> ? lock_acquire+0xc1/0x2f0<br /> ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]<br /> ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]<br /> ? lock_release+0xc6/0x280<br /> ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]<br /> ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]<br /> __x64_sys_ioctl+0x1b0/0xa70<br /> ? kmem_cache_free+0x221/0x400<br /> do_syscall_64+0x6b/0x140<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7f20f21f017b<br /> RSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b<br /> RDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003<br /> RBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60<br /> R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890<br /> R13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0<br />