Vulnerabilities

The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix global oob in ksmbd_nl_policy<br /> <br /> Similar to a reported issue (check the commit b33fb5b801c6 ("net:<br /> qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds<br /> another global out-of-bounds read for policy ksmbd_nl_policy. See bug<br /> trace below:<br /> <br /> ==================================================================<br /> BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]<br /> BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600<br /> Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810<br /> <br /> CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:284 [inline]<br /> print_report+0x172/0x475 mm/kasan/report.c:395<br /> kasan_report+0xbb/0x1c0 mm/kasan/report.c:495<br /> validate_nla lib/nlattr.c:386 [inline]<br /> __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600<br /> __nla_parse+0x3e/0x50 lib/nlattr.c:697<br /> __nlmsg_parse include/net/netlink.h:748 [inline]<br /> genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565<br /> genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734<br /> genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]<br /> genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850<br /> netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540<br /> genl_rcv+0x24/0x40 net/netlink/genetlink.c:861<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]<br /> netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345<br /> netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> sock_sendmsg+0x154/0x190 net/socket.c:734<br /> ____sys_sendmsg+0x6df/0x840 net/socket.c:2482<br /> ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536<br /> __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7fdd66a8f359<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359<br /> RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003<br /> RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000<br /> <br /> <br /> The buggy address belongs to the variable:<br /> ksmbd_nl_policy+0x100/0xa80<br /> <br /> The buggy address belongs to the physical page:<br /> page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b<br /> flags: 0x200000000001000(reserved|node=0|zone=2)<br /> raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000<br /> raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> &gt;ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9<br /> ^<br /> ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05<br /> ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9<br /> ==================================================================<br /> <br /> To fix it, add a placeholder named __KSMBD_EVENT_MAX and let<br /> KSMBD_EVENT_MAX to be its original value - 1 according to what other<br /> netlink families do. Also change two sites that refer the<br /> KSMBD_EVENT_MAX to correct value.

The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PM: sleep: Fix possible deadlocks in core system-wide PM code<br /> <br /> It is reported that in low-memory situations the system-wide resume core<br /> code deadlocks, because async_schedule_dev() executes its argument<br /> function synchronously if it cannot allocate memory (and not only in<br /> that case) and that function attempts to acquire a mutex that is already<br /> held. Executing the argument function synchronously from within<br /> dpm_async_fn() may also be problematic for ordering reasons (it may<br /> cause a consumer device&amp;#39;s resume callback to be invoked before a<br /> requisite supplier device&amp;#39;s one, for example).<br /> <br /> Address this by changing the code in question to use<br /> async_schedule_dev_nocall() for scheduling the asynchronous<br /> execution of device suspend and resume functions and to directly<br /> run them synchronously if async_schedule_dev_nocall() returns false.

The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users&amp;#39; sensitive metadata.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: pmic_glink_altmode: fix port sanity check<br /> <br /> The PMIC GLINK altmode driver currently supports at most two ports.<br /> <br /> Fix the incomplete port sanity check on notifications to avoid<br /> accessing and corrupting memory beyond the port array if we ever get a<br /> notification for an unsupported port.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bus: mhi: host: Add alignment check for event ring read pointer<br /> <br /> Though we do check the event ring read pointer by "is_valid_ring_ptr"<br /> to make sure it is in the buffer range, but there is another risk the<br /> pointer may be not aligned. Since we are expecting event ring elements<br /> are 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer<br /> could lead to multiple issues like DoS or ring buffer memory corruption.<br /> <br /> So add a alignment check for event ring read pointer.

The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

The Starbox WordPress plugin before 3.5.0 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

The 404 Solution WordPress plugin before 2.35.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins.

The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

The Login as User or Customer WordPress plugin through 3.8 does not prevent users to log in as any other user on the site.