Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ch_ktls: Fix kernel panic<br /> <br /> Taking page refcount is not ideal and causes kernel panic<br /> sometimes. It&amp;#39;s better to take tx_ctx lock for the complete<br /> skb transmit, to avoid page cleanup if ACK received in middle.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Make tcp_allowed_congestion_control readonly in non-init netns<br /> <br /> Currently, tcp_allowed_congestion_control is global and writable;<br /> writing to it in any net namespace will leak into all other net<br /> namespaces.<br /> <br /> tcp_available_congestion_control and tcp_allowed_congestion_control are<br /> the only sysctls in ipv4_net_table (the per-netns sysctl table) with a<br /> NULL data pointer; their handlers (proc_tcp_available_congestion_control<br /> and proc_allowed_congestion_control) have no other way of referencing a<br /> struct net. Thus, they operate globally.<br /> <br /> Because ipv4_net_table does not use designated initializers, there is no<br /> easy way to fix up this one "bad" table entry. However, the data pointer<br /> updating logic shouldn&amp;#39;t be applied to NULL pointers anyway, so we<br /> instead force these entries to be read-only.<br /> <br /> These sysctls used to exist in ipv4_table (init-net only), but they were<br /> moved to the per-net ipv4_net_table, presumably without realizing that<br /> tcp_allowed_congestion_control was writable and thus introduced a leak.<br /> <br /> Because the intent of that commit was only to know (i.e. read) "which<br /> congestion algorithms are available or allowed", this read-only solution<br /> should be sufficient.<br /> <br /> The logic added in recent commit<br /> 31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls")<br /> does not and cannot check for NULL data pointers, because<br /> other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have<br /> .data=NULL but use other methods (.extra2) to access the struct net.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nftables: clone set element expression template<br /> <br /> memcpy() breaks when using connlimit in set elements. Use<br /> nft_expr_clone() to initialize the connlimit expression list, otherwise<br /> connlimit garbage collector crashes when walking on the list head copy.<br /> <br /> [ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]<br /> [ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount]<br /> [ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83<br /> [ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297<br /> [ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000<br /> [ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0<br /> [ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c<br /> [ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001<br /> [ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000<br /> [ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000<br /> [ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0<br /> [ 493.064733] Call Trace:<br /> [ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount]<br /> [ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ixgbe: fix unbalanced device enable/disable in suspend/resume<br /> <br /> pci_disable_device() called in __ixgbe_shutdown() decreases<br /> dev-&gt;enable_cnt by 1. pci_enable_device_mem() which increases<br /> dev-&gt;enable_cnt by 1, was removed from ixgbe_resume() in commit<br /> 6f82b2558735 ("ixgbe: use generic power management"). This caused<br /> unbalanced increase/decrease. So add pci_enable_device_mem() back.<br /> <br /> Fix the following call trace.<br /> <br /> ixgbe 0000:17:00.1: disabling already-disabled device<br /> Call Trace:<br /> __ixgbe_shutdown+0x10a/0x1e0 [ixgbe]<br /> ixgbe_suspend+0x32/0x70 [ixgbe]<br /> pci_pm_suspend+0x87/0x160<br /> ? pci_pm_freeze+0xd0/0xd0<br /> dpm_run_callback+0x42/0x170<br /> __device_suspend+0x114/0x460<br /> async_suspend+0x1f/0xa0<br /> async_run_entry_fn+0x3c/0xf0<br /> process_one_work+0x1dd/0x410<br /> worker_thread+0x34/0x3f0<br /> ? cancel_delayed_work+0x90/0x90<br /> kthread+0x14c/0x170<br /> ? kthread_park+0x90/0x90<br /> ret_from_fork+0x1f/0x30

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Use correct permission flag for mixed signed bounds arithmetic<br /> <br /> We forbid adding unknown scalars with mixed signed bounds due to the<br /> spectre v1 masking mitigation. Hence this also needs bypass_spec_v1<br /> flag instead of allow_ptr_leaks.

The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup &amp; Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;type&amp;#39; parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the apply_layout function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve arbitrary order data which may contain PII.

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to unauthorized execution of shortcodes due to a missing capability check on the get_text_editor_content() function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes.

Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM.<br /> <br /> This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced.<br /> <br /> There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s Post Type Grid Widget Title in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Insufficient Resource Pool vulnerability in Ethernet function of Mitsubishi Electric Corporation MELSEC iQ-R series CPU module, MELSEC iQ-L series CPU module, MELSEC iQ-R Ethernet Interface Module, MELSEC iQ-R CC-Link IE TSN Master/Local Module, CC-Link IE TSN Remote I/O Module, CC-Link IE TSN Analog-Digital Converter Module, CC-Link IE TSN Digital-Analog Converter Module, CC-Link IE TSN - CC-Link IE Field Network Bridge Module, CC-Link IE TSN - AnyWireASLINK Bridge Module, CC-Link IE TSN FPGA Module, CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY, MELSEC iQ-R Motion Module, MELSEC iQ-L Motion Module, MELSEC iQ-F FX5 Motion Module, MELSEC iQ-F Series CPU module, MELSEC iQ-F Series Ethernet module, MELSEC iQ-F Series Ethernet/IP module, MELSEC iQ-F Series OPC UA Module, MELSEC iQ-F Series CC-Link IE TSN master/local module, GOT2000 Series CC-Link IE TSN Communication Unit, FR-A800-E series inverters, FR-F800-E series inverters, FR-E800-E series inverters, INVERTER CC-Link IE TSN Plug-in option, INVERTER CC-Link IE TSN Safety Plug-in option, INVERTER CC-Link IE TSN communication function built-in type, MR-J5 series AC Servos MELSERVO, MR-JET series AC Servos MELSERVO, MR-MD333G series AC Servos MELSERVO, MR-JE series AC Servos MELSERVO, MELSERVO-J4 AC Servos MELSERVO and Embedded Type Servo System Controller allow a remote attacker to cause a temporary Denial of Service condition for a certain period of time in Ethernet communication of the products by performing TCP SYN Flood attack.