Vulnerabilities

A security vulnerability has been detected in Ritlabs TinyWeb Server 1.94. This vulnerability affects unknown code of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.99 is able to resolve this issue. The identifier of the patch is d49c3da6a97e950975b18626878f3ee1f082358e. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.

The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

The Memberpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘arglist’ parameter in all versions up to, and including, 1.11.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Memberpress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.11.29 via the 'mepr-user-file' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 1.60.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The WPB Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm, thp: bail out early in collapse_file for writeback page<br /> <br /> Currently collapse_file does not explicitly check PG_writeback, instead,<br /> page_has_private and try_to_release_page are used to filter writeback<br /> pages. This does not work for xfs with blocksize equal to or larger<br /> than pagesize, because in such case xfs has no page-&gt;private.<br /> <br /> This makes collapse_file bail out early for writeback page. Otherwise,<br /> xfs end_page_writeback will panic as follows.<br /> <br /> page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32<br /> aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so"<br /> flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback)<br /> raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8<br /> raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000<br /> page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u mem_cgroup:ffff0000c3e9a000<br /> ------------[ cut here ]------------<br /> kernel BUG at include/linux/mm.h:1212!<br /> Internal error: Oops - BUG: 0 [#1] SMP<br /> Modules linked in:<br /> BUG: Bad page state in process khugepaged pfn:84ef32<br /> xfs(E)<br /> page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32<br /> libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ...<br /> CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ...<br /> pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)<br /> Call trace:<br /> end_page_writeback+0x1c0/0x214<br /> iomap_finish_page_writeback+0x13c/0x204<br /> iomap_finish_ioend+0xe8/0x19c<br /> iomap_writepage_end_bio+0x38/0x50<br /> bio_endio+0x168/0x1ec<br /> blk_update_request+0x278/0x3f0<br /> blk_mq_end_request+0x34/0x15c<br /> virtblk_request_done+0x38/0x74 [virtio_blk]<br /> blk_done_softirq+0xc4/0x110<br /> __do_softirq+0x128/0x38c<br /> __irq_exit_rcu+0x118/0x150<br /> irq_exit+0x1c/0x30<br /> __handle_domain_irq+0x8c/0xf0<br /> gic_handle_irq+0x84/0x108<br /> el1_irq+0xcc/0x180<br /> arch_cpu_idle+0x18/0x40<br /> default_idle_call+0x4c/0x1a0<br /> cpuidle_idle_call+0x168/0x1e0<br /> do_idle+0xb4/0x104<br /> cpu_startup_entry+0x30/0x9c<br /> secondary_start_kernel+0x104/0x180<br /> Code: d4210000 b0006161 910c8021 94013f4d (d4210000)<br /> ---[ end trace 4a88c6a074082f8c ]---<br /> Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix race between searching chunks and release journal_head from buffer_head<br /> <br /> Encountered a race between ocfs2_test_bg_bit_allocatable() and<br /> jbd2_journal_put_journal_head() resulting in the below vmcore.<br /> <br /> PID: 106879 TASK: ffff880244ba9c00 CPU: 2 COMMAND: "loop3"<br /> Call trace:<br /> panic<br /> oops_end<br /> no_context<br /> __bad_area_nosemaphore<br /> bad_area_nosemaphore<br /> __do_page_fault<br /> do_page_fault<br /> page_fault<br /> [exception RIP: ocfs2_block_group_find_clear_bits+316]<br /> ocfs2_block_group_find_clear_bits [ocfs2]<br /> ocfs2_cluster_group_search [ocfs2]<br /> ocfs2_search_chain [ocfs2]<br /> ocfs2_claim_suballoc_bits [ocfs2]<br /> __ocfs2_claim_clusters [ocfs2]<br /> ocfs2_claim_clusters [ocfs2]<br /> ocfs2_local_alloc_slide_window [ocfs2]<br /> ocfs2_reserve_local_alloc_bits [ocfs2]<br /> ocfs2_reserve_clusters_with_limit [ocfs2]<br /> ocfs2_reserve_clusters [ocfs2]<br /> ocfs2_lock_refcount_allocators [ocfs2]<br /> ocfs2_make_clusters_writable [ocfs2]<br /> ocfs2_replace_cow [ocfs2]<br /> ocfs2_refcount_cow [ocfs2]<br /> ocfs2_file_write_iter [ocfs2]<br /> lo_rw_aio<br /> loop_queue_work<br /> kthread_worker_fn<br /> kthread<br /> ret_from_fork<br /> <br /> When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the<br /> bg_bh-&gt;b_private NULL as jbd2_journal_put_journal_head() raced and<br /> released the jounal head from the buffer head. Needed to take bit lock<br /> for the bit &amp;#39;BH_JournalHead&amp;#39; to fix this race.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cfg80211: fix management registrations locking<br /> <br /> The management registrations locking was broken, the list was<br /> locked for each wdev, but cfg80211_mgmt_registrations_update()<br /> iterated it without holding all the correct spinlocks, causing<br /> list corruption.<br /> <br /> Rather than trying to fix it with fine-grained locking, just<br /> move the lock to the wiphy/rdev (still need the list on each<br /> wdev), we already need to hold the wdev lock to change it, so<br /> there&amp;#39;s no contention on the lock in any case. This trivially<br /> fixes the bug since we hold one wdev&amp;#39;s lock already, and now<br /> will hold the lock that protects all lists.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usbnet: sanity check for maxpacket<br /> <br /> maxpacket of 0 makes no sense and oopses as we need to divide<br /> by it. Give up.<br /> <br /> V2: fixed typo in log and stylistic issues