Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> locking/qrwlock: Fix ordering in queued_write_lock_slowpath()<br /> <br /> While this code is executed with the wait_lock held, a reader can<br /> acquire the lock without holding wait_lock. The writer side loops<br /> checking the value with the atomic_cond_read_acquire(), but only truly<br /> acquires the lock when the compare-and-exchange is completed<br /> successfully which isn’t ordered. This exposes the window between the<br /> acquire and the cmpxchg to an A-B-A problem which allows reads<br /> following the lock acquisition to observe values speculatively before<br /> the write lock is truly acquired.<br /> <br /> We&amp;#39;ve seen a problem in epoll where the reader does a xchg while<br /> holding the read lock, but the writer can see a value change out from<br /> under it.<br /> <br /> Writer | Reader<br /> --------------------------------------------------------------------------------<br /> ep_scan_ready_list() |<br /> |- write_lock_irq() |<br /> |- queued_write_lock_slowpath() |<br /> |- atomic_cond_read_acquire() |<br /> | read_lock_irqsave(&amp;ep-&gt;lock, flags);<br /> --&gt; (observes value before unlock) | chain_epi_lockless()<br /> | | epi-&gt;next = xchg(&amp;ep-&gt;ovflist, epi);<br /> | | read_unlock_irqrestore(&amp;ep-&gt;lock, flags);<br /> | |<br /> | atomic_cmpxchg_relaxed() |<br /> |-- READ_ONCE(ep-&gt;ovflist); |<br /> <br /> A core can order the read of the ovflist ahead of the<br /> atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire<br /> semantics addresses this issue at which point the atomic_cond_read can<br /> be switched to use relaxed semantics.<br /> <br /> [peterz: use try_cmpxchg()]

The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as deleting entries.

The JetBackup WordPress plugin before 2.0.9.9 doesn&amp;#39;t use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files.

The WP JobSearch WordPress plugin before 2.3.4 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server

The WP JobSearch WordPress plugin before 2.3.4 does not prevent attackers from logging-in as any users with the only knowledge of that user&amp;#39;s email address.

The Shariff Wrapper WordPress plugin before 4.6.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

The Spiffy Calendar WordPress plugin before 4.9.9 doesn&amp;#39;t check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+.

The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF

The WP Dashboard Notes WordPress plugin before 1.0.11 is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data.

The Persian Fonts WordPress plugin through 1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue.<br /> <br /> Impact:<br /> A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host.