Vulnerabilities

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tomas Cordero Safety Exit allows Stored XSS.This issue affects Safety Exit: from n/a through 1.7.0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vmwgfx: Fix invalid reads in fence signaled events<br /> <br /> Correctly set the length of the drm_event to the size of the structure<br /> that&amp;#39;s actually used.<br /> <br /> The length of the drm_event was set to the parent structure instead of<br /> to the drm_vmw_event_fence which is supposed to be read. drm_read<br /> uses the length parameter to copy the event to the user space thus<br /> resuling in oob reads.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/debugfs: Fix two locking issues with thermal zone debug<br /> <br /> With the current thermal zone locking arrangement in the debugfs code,<br /> user space can open the "mitigations" file for a thermal zone before<br /> the zone&amp;#39;s debugfs pointer is set which will result in a NULL pointer<br /> dereference in tze_seq_start().<br /> <br /> Moreover, thermal_debug_tz_remove() is not called under the thermal<br /> zone lock, so it can run in parallel with the other functions accessing<br /> the thermal zone&amp;#39;s struct thermal_debugfs object. Then, it may clear<br /> tz-&gt;debugfs after one of those functions has checked it and the<br /> struct thermal_debugfs object may be freed prematurely.<br /> <br /> To address the first problem, pass a pointer to the thermal zone&amp;#39;s<br /> struct thermal_debugfs object to debugfs_create_file() in<br /> thermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),<br /> tze_seq_stop(), and tze_seq_show() retrieve it from s-&gt;private<br /> instead of a pointer to the thermal zone object. This will ensure<br /> that tz_debugfs will be valid across the "mitigations" file accesses<br /> until thermal_debugfs_remove_id() called by thermal_debug_tz_remove()<br /> removes that file.<br /> <br /> To address the second problem, use tz-&gt;lock in thermal_debug_tz_remove()<br /> around the tz-&gt;debugfs value check (in case the same thermal zone is<br /> removed at the same time in two different threads) and its reset to NULL.<br /> <br /> Cc :6.8+ # 6.8+

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs<br /> <br /> Currently the driver uses local_bh_disable()/local_bh_enable() in its<br /> IRQ handler to avoid triggering net_rx_action() softirq on exit from<br /> netif_rx(). The net_rx_action() could trigger this driver .start_xmit<br /> callback, which is protected by the same lock as the IRQ handler, so<br /> calling the .start_xmit from netif_rx() from the IRQ handler critical<br /> section protected by the lock could lead to an attempt to claim the<br /> already claimed lock, and a hang.<br /> <br /> The local_bh_disable()/local_bh_enable() approach works only in case<br /> the IRQ handler is protected by a spinlock, but does not work if the<br /> IRQ handler is protected by mutex, i.e. this works for KS8851 with<br /> Parallel bus interface, but not for KS8851 with SPI bus interface.<br /> <br /> Remove the BH manipulation and instead of calling netif_rx() inside<br /> the IRQ handler code protected by the lock, queue all the received<br /> SKBs in the IRQ handler into a queue first, and once the IRQ handler<br /> exits the critical section protected by the lock, dequeue all the<br /> queued SKBs and push them all into netif_rx(). At this point, it is<br /> safe to trigger the net_rx_action() softirq, since the netif_rx()<br /> call is outside of the lock that protects the IRQ handler.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracefs: Reset permissions on remount if permissions are options<br /> <br /> There&amp;#39;s an inconsistency with the way permissions are handled in tracefs.<br /> Because the permissions are generated when accessed, they default to the<br /> root inode&amp;#39;s permission if they were never set by the user. If the user<br /> sets the permissions, then a flag is set and the permissions are saved via<br /> the inode (for tracefs files) or an internal attribute field (for<br /> eventfs).<br /> <br /> But if a remount happens that specify the permissions, all the files that<br /> were not changed by the user gets updated, but the ones that were are not.<br /> If the user were to remount the file system with a given permission, then<br /> all files and directories within that file system should be updated.<br /> <br /> This can cause security issues if a file&amp;#39;s permission was updated but the<br /> admin forgot about it. They could incorrectly think that remounting with<br /> permissions set would update all files, but miss some.<br /> <br /> For example:<br /> <br /> # cd /sys/kernel/tracing<br /> # chgrp 1002 current_tracer<br /> # ls -l<br /> [..]<br /> -rw-r----- 1 root root 0 May 1 21:25 buffer_size_kb<br /> -rw-r----- 1 root root 0 May 1 21:25 buffer_subbuf_size_kb<br /> -r--r----- 1 root root 0 May 1 21:25 buffer_total_size_kb<br /> -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer<br /> -rw-r----- 1 root root 0 May 1 21:25 dynamic_events<br /> -r--r----- 1 root root 0 May 1 21:25 dyn_ftrace_total_info<br /> -r--r----- 1 root root 0 May 1 21:25 enabled_functions<br /> <br /> Where current_tracer now has group "lkp".<br /> <br /> # mount -o remount,gid=1001 .<br /> # ls -l<br /> -rw-r----- 1 root tracing 0 May 1 21:25 buffer_size_kb<br /> -rw-r----- 1 root tracing 0 May 1 21:25 buffer_subbuf_size_kb<br /> -r--r----- 1 root tracing 0 May 1 21:25 buffer_total_size_kb<br /> -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer<br /> -rw-r----- 1 root tracing 0 May 1 21:25 dynamic_events<br /> -r--r----- 1 root tracing 0 May 1 21:25 dyn_ftrace_total_info<br /> -r--r----- 1 root tracing 0 May 1 21:25 enabled_functions<br /> <br /> Everything changed but the "current_tracer".<br /> <br /> Add a new link list that keeps track of all the tracefs_inodes which has<br /> the permission flags that tell if the file/dir should use the root inode&amp;#39;s<br /> permission or not. Then on remount, clear all the flags so that the<br /> default behavior of using the root inode&amp;#39;s permission is done for all<br /> files and directories.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/9p: only translate RWX permissions for plain 9P2000<br /> <br /> Garbage in plain 9P2000&amp;#39;s perm bits is allowed through, which causes it<br /> to be able to set (among others) the suid bit. This was presumably not<br /> the intent since the unix extended bits are handled explicitly and<br /> conditionally on .u.

A client-side enforcement of server-side security in Fortinet FortiPortal version 6.0.0 through 6.0.14 allows attacker to improper access control via crafted HTTP requests.

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiWeb version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, 6.3 all versions may allow an authenticated attacker to read password hashes of other administrators via CLI commands.

DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records.

Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in GregRoss Just Writing Statistics allows Stored XSS.This issue affects Just Writing Statistics: from n/a through 4.5.

Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Bryan Hadaway Site Favicon allows Stored XSS.This issue affects Site Favicon: from n/a through 0.2.

Cross Site Scripting (XSS) vulnerability in Xabier Miranda WP Back Button allows Stored XSS.This issue affects WP Back Button: from n/a through 1.1.3.