Vulnerabilities

The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to unauthorized plugin settings modification due to a missing capability check on several plugin functions in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change some of the plugin settings.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: core: Fix race by not overwriting udev-&gt;descriptor in hub_port_init()<br /> <br /> Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors():<br /> <br /> BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883<br /> Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011<br /> <br /> CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106<br /> print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351<br /> print_report mm/kasan/report.c:462 [inline]<br /> kasan_report+0x11c/0x130 mm/kasan/report.c:572<br /> read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883<br /> ...<br /> Allocated by task 758:<br /> ...<br /> __do_kmalloc_node mm/slab_common.c:966 [inline]<br /> __kmalloc+0x5e/0x190 mm/slab_common.c:979<br /> kmalloc include/linux/slab.h:563 [inline]<br /> kzalloc include/linux/slab.h:680 [inline]<br /> usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887<br /> usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]<br /> usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545<br /> <br /> As analyzed by Khazhy Kumykov, the cause of this bug is a race between<br /> read_descriptors() and hub_port_init(): The first routine uses a field<br /> in udev-&gt;descriptor, not expecting it to change, while the second<br /> overwrites it.<br /> <br /> Prior to commit 45bf39f8df7f ("USB: core: Don&amp;#39;t hold device lock while<br /> reading the "descriptors" sysfs file") this race couldn&amp;#39;t occur,<br /> because the routines were mutually exclusive thanks to the device<br /> locking. Removing that locking from read_descriptors() exposed it to<br /> the race.<br /> <br /> The best way to fix the bug is to keep hub_port_init() from changing<br /> udev-&gt;descriptor once udev has been initialized and registered.<br /> Drivers expect the descriptors stored in the kernel to be immutable;<br /> we should not undermine this expectation. In fact, this change should<br /> have been made long ago.<br /> <br /> So now hub_port_init() will take an additional argument, specifying a<br /> buffer in which to store the device descriptor it reads. (If udev has<br /> not yet been initialized, the buffer pointer will be NULL and then<br /> hub_port_init() will store the device descriptor in udev as before.)<br /> This eliminates the data race responsible for the out-of-bounds read.<br /> <br /> The changes to hub_port_init() appear more extensive than they really<br /> are, because of indentation changes resulting from an attempt to avoid<br /> writing to other parts of the usb_device structure after it has been<br /> initialized. Similar changes should be made to the code that reads<br /> the BOS descriptor, but that can be handled in a separate patch later<br /> on. This patch is sufficient to fix the bug found by syzbot.

The WordPress File Upload plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.24.7 via the &amp;#39;uploadpath&amp;#39; parameter of the wordpress_file_upload shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files to arbitrary locations on the web server.

The AForms — Form Builder for Price Calculator &amp; Cost Estimation plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.2.6. This is due to the plugin utilizing the aura library and allowing direct access to the phpunit test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

The Glossary plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.2.26. This is due the plugin utilizing wpdesk and not preventing direct access to the test files along with display_errors being enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &amp;#39;update_item&amp;#39; function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to modify the content of arbitrary published posts, which includes the ability to insert malicious JavaScript.

The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;events&amp;#39; shortcode in all versions up to, and including, 3.1.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s Grid Portfolios Widget in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Denial of service vulnerability present shortly after product installation or upgrade, potentially allowed an attacker to render ESET’s security product inoperable, provided non-default preconditions were met.

In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn&amp;#39;t validated, there is a risk of SQL injection vulnerability. The attacker must successfully log into the system to launch an attack, which may cause data leakage. Since no data will be written, so this is a low-impact vulnerability.<br /> <br /> Mitigation:<br /> <br /> all users should upgrade to 2.1.4, Such parameters will be blocked.<br /> <br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: change vm-&gt;task_info handling<br /> <br /> This patch changes the handling and lifecycle of vm-&gt;task_info object.<br /> The major changes are:<br /> - vm-&gt;task_info is a dynamically allocated ptr now, and its uasge is<br /> reference counted.<br /> - introducing two new helper funcs for task_info lifecycle management<br /> - amdgpu_vm_get_task_info: reference counts up task_info before<br /> returning this info<br /> - amdgpu_vm_put_task_info: reference counts down task_info<br /> - last put to task_info() frees task_info from the vm.<br /> <br /> This patch also does logistical changes required for existing usage<br /> of vm-&gt;task_info.<br /> <br /> V2: Do not block all the prints when task_info not found (Felix)<br /> <br /> V3: Fixed review comments from Felix<br /> - Fix wrong indentation<br /> - No debug message for -ENOMEM<br /> - Add NULL check for task_info<br /> - Do not duplicate the debug messages (ti vs no ti)<br /> - Get first reference of task_info in vm_init(), put last<br /> in vm_fini()<br /> <br /> V4: Fixed review comments from Felix<br /> - fix double reference increment in create_task_info<br /> - change amdgpu_vm_get_task_info_pasid<br /> - additional changes in amdgpu_gem.c while porting

The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.7.3. This is due the plugin utilizing sabre without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.