Vulnerabilities

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Milan Petrovic GD Rating System allows Stored XSS.This issue affects GD Rating System: from n/a through 3.5.<br /> <br />

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Shopfiles Ltd Ebook Store allows Stored XSS.This issue affects Ebook Store: from n/a through 5.788.<br /> <br />

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Pascal Bajorat PB oEmbed HTML5 Audio – with Cache Support allows Stored XSS.This issue affects PB oEmbed HTML5 Audio – with Cache Support: from n/a through 2.6.<br /> <br />

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Paul Jura &amp; Nicolas Montigny PJ News Ticker allows Stored XSS.This issue affects PJ News Ticker: from n/a through 1.9.5.<br /> <br />

An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL.

Cross-Site Request Forgery (CSRF) vulnerability in Ernest Marcinko Ajax Search Lite allows Reflected XSS.This issue affects Ajax Search Lite: from n/a through 4.11.4.<br /> <br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix race condition between session lookup and expire<br /> <br /> Thread A + Thread B<br /> ksmbd_session_lookup | smb2_sess_setup<br /> sess = xa_load |<br /> |<br /> | xa_erase(&amp;conn-&gt;sessions, sess-&gt;id);<br /> |<br /> | ksmbd_session_destroy(sess) --&gt; kfree(sess)<br /> |<br /> // UAF! |<br /> sess-&gt;last_active = jiffies |<br /> +<br /> <br /> This patch add rwsem to fix race condition between ksmbd_session_lookup<br /> and ksmbd_expire_session.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mctp: perform route lookups under a RCU read-side lock<br /> <br /> Our current route lookups (mctp_route_lookup and mctp_route_lookup_null)<br /> traverse the net&amp;#39;s route list without the RCU read lock held. This means<br /> the route lookup is subject to preemption, resulting in an potential<br /> grace period expiry, and so an eventual kfree() while we still have the<br /> route pointer.<br /> <br /> Add the proper read-side critical section locks around the route<br /> lookups, preventing premption and a possible parallel kfree.<br /> <br /> The remaining net-&gt;mctp.routes accesses are already under a<br /> rcu_read_lock, or protected by the RTNL for updates.<br /> <br /> Based on an analysis from Sili Luo , where<br /> introducing a delay in the route lookup could cause a UAF on<br /> simultaneous sendmsg() and route deletion.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/srso: Add SRSO mitigation for Hygon processors<br /> <br /> Add mitigation for the speculative return stack overflow vulnerability<br /> which exists on Hygon processors too.

The Restaurant Solutions – Checklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Checklist points in version 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range<br /> <br /> When running an SVA case, the following soft lockup is triggered:<br /> --------------------------------------------------------------------<br /> watchdog: BUG: soft lockup - CPU#244 stuck for 26s!<br /> pstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)<br /> pc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50<br /> lr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50<br /> sp : ffff8000d83ef290<br /> x29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000<br /> x26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000<br /> x23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0<br /> x20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0<br /> x14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000<br /> x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa<br /> x5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a<br /> x2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001<br /> Call trace:<br /> arm_smmu_cmdq_issue_cmdlist+0x178/0xa50<br /> __arm_smmu_tlb_inv_range+0x118/0x254<br /> arm_smmu_tlb_inv_range_asid+0x6c/0x130<br /> arm_smmu_mm_invalidate_range+0xa0/0xa4<br /> __mmu_notifier_invalidate_range_end+0x88/0x120<br /> unmap_vmas+0x194/0x1e0<br /> unmap_region+0xb4/0x144<br /> do_mas_align_munmap+0x290/0x490<br /> do_mas_munmap+0xbc/0x124<br /> __vm_munmap+0xa8/0x19c<br /> __arm64_sys_munmap+0x28/0x50<br /> invoke_syscall+0x78/0x11c<br /> el0_svc_common.constprop.0+0x58/0x1c0<br /> do_el0_svc+0x34/0x60<br /> el0_svc+0x2c/0xd4<br /> el0t_64_sync_handler+0x114/0x140<br /> el0t_64_sync+0x1a4/0x1a8<br /> --------------------------------------------------------------------<br /> <br /> Note that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed<br /> to "arm_smmu_mm_arch_invalidate_secondary_tlbs", yet the problem remains.<br /> <br /> The commit 06ff87bae8d3 ("arm64: mm: remove unused functions and variable<br /> protoypes") fixed a similar lockup on the CPU MMU side. Yet, it can occur<br /> to SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called<br /> typically next to MMU tlb flush function, e.g.<br /> tlb_flush_mmu_tlbonly {<br /> tlb_flush {<br /> __flush_tlb_range {<br /> // check MAX_TLBI_OPS<br /> }<br /> }<br /> mmu_notifier_arch_invalidate_secondary_tlbs {<br /> arm_smmu_mm_arch_invalidate_secondary_tlbs {<br /> // does not check MAX_TLBI_OPS<br /> }<br /> }<br /> }<br /> <br /> Clone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an<br /> SVA case SMMU uses the CPU page table, so it makes sense to align with the<br /> tlbflush code. Then, replace per-page TLBI commands with a single per-asid<br /> TLBI command, if the request size hits this threshold.

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Jordy Meow Media Alt Renamer allows Stored XSS.This issue affects Media Alt Renamer: from n/a through 0.0.1.<br /> <br />