Vulnerabilities

The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server

The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: qcom: scm: Mark get_wq_ctx() as atomic call<br /> <br /> Currently get_wq_ctx() is wrongly configured as a standard call. When two<br /> SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to<br /> resume the corresponding sleeping thread. But if get_wq_ctx() is<br /> interrupted, goes to sleep and another SMC call is waiting to be allocated<br /> a waitq context, it leads to a deadlock.<br /> <br /> To avoid this get_wq_ctx() must be an atomic call and can&amp;#39;t be a standard<br /> SMC call. Hence mark get_wq_ctx() as a fast call.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: pmic_glink: Fix race during initialization<br /> <br /> As pointed out by Stephen Boyd it is possible that during initialization<br /> of the pmic_glink child drivers, the protection-domain notifiers fires,<br /> and the associated work is scheduled, before the client registration<br /> returns and as a result the local "client" pointer has been initialized.<br /> <br /> The outcome of this is a NULL pointer dereference as the "client"<br /> pointer is blindly dereferenced.<br /> <br /> Timeline provided by Stephen:<br /> CPU0 CPU1<br /> ---- ----<br /> ucsi-&gt;client = NULL;<br /> devm_pmic_glink_register_client()<br /> client-&gt;pdr_notify(client-&gt;priv, pg-&gt;client_state)<br /> pmic_glink_ucsi_pdr_notify()<br /> schedule_work(&amp;ucsi-&gt;register_work)<br /> <br /> pmic_glink_ucsi_register()<br /> ucsi_register()<br /> pmic_glink_ucsi_read_version()<br /> pmic_glink_ucsi_read()<br /> pmic_glink_ucsi_read()<br /> pmic_glink_send(ucsi-&gt;client)<br /> <br /> ucsi-&gt;client = client // Too late!<br /> <br /> This code is identical across the altmode, battery manager and usci<br /> child drivers.<br /> <br /> Resolve this by splitting the allocation of the "client" object and the<br /> registration thereof into two operations.<br /> <br /> This only happens if the protection domain registry is populated at the<br /> time of registration, which by the introduction of commit &amp;#39;1ebcde047c54<br /> ("soc: qcom: add pd-mapper implementation")&amp;#39; became much more likely.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: fix potential UAF in nfsd4_cb_getattr_release<br /> <br /> Once we drop the delegation reference, the fields embedded in it are no<br /> longer safe to access. Do that last.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: ensure that nfsd4_fattr_args.context is zeroed out<br /> <br /> If nfsd4_encode_fattr4 ends up doing a "goto out" before we get to<br /> checking for the security label, then args.context will be set to<br /> uninitialized junk on the stack, which we&amp;#39;ll then try to free.<br /> Initialize it early.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> video/aperture: optionally match the device in sysfb_disable()<br /> <br /> In aperture_remove_conflicting_pci_devices(), we currently only<br /> call sysfb_disable() on vga class devices. This leads to the<br /> following problem when the pimary device is not VGA compatible:<br /> <br /> 1. A PCI device with a non-VGA class is the boot display<br /> 2. That device is probed first and it is not a VGA device so<br /> sysfb_disable() is not called, but the device resources<br /> are freed by aperture_detach_platform_device()<br /> 3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable()<br /> 4. NULL pointer dereference via sysfb_disable() since the resources<br /> have already been freed by aperture_detach_platform_device() when<br /> it was called by the other device.<br /> <br /> Fix this by passing a device pointer to sysfb_disable() and checking<br /> the device to determine if we should execute it or not.<br /> <br /> v2: Fix build when CONFIG_SCREEN_INFO is not set<br /> v3: Move device check into the mutex<br /> Drop primary variable in aperture_remove_conflicting_pci_devices()<br /> Drop __init on pci sysfb_pci_dev_is_enabled()

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/v3d: Disable preemption while updating GPU stats<br /> <br /> We forgot to disable preemption around the write_seqcount_begin/end() pair<br /> while updating GPU stats:<br /> <br /> [ ] WARNING: CPU: 2 PID: 12 at include/linux/seqlock.h:221 __seqprop_assert.isra.0+0x128/0x150 [v3d]<br /> [ ] Workqueue: v3d_bin drm_sched_run_job_work [gpu_sched]<br /> <br /> [ ] Call trace:<br /> [ ] __seqprop_assert.isra.0+0x128/0x150 [v3d]<br /> [ ] v3d_job_start_stats.isra.0+0x90/0x218 [v3d]<br /> [ ] v3d_bin_job_run+0x23c/0x388 [v3d]<br /> [ ] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched]<br /> [ ] process_one_work+0x62c/0xb48<br /> [ ] worker_thread+0x468/0x5b0<br /> [ ] kthread+0x1c4/0x1e0<br /> [ ] ret_from_fork+0x10/0x20<br /> <br /> Fix it.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

The Avada | Website Builder For WordPress &amp; eCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s fusion_button shortcode in all versions up to, and including, 3.11.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in 3.11.9. Additional hardening for alternate attack vectors was added to version 3.11.10.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: avoid using null object of framebuffer<br /> <br /> Instead of using state-&gt;fb-&gt;obj[0] directly, get object from framebuffer<br /> by calling drm_gem_fb_get_obj() and return error code when object is<br /> null to avoid using null object of framebuffer.<br /> <br /> (cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> selinux,smack: don&amp;#39;t bypass permissions check in inode_setsecctx hook<br /> <br /> Marek Gresko reports that the root user on an NFS client is able to<br /> change the security labels on files on an NFS filesystem that is<br /> exported with root squashing enabled.<br /> <br /> The end of the kerneldoc comment for __vfs_setxattr_noperm() states:<br /> <br /> * This function requires the caller to lock the inode&amp;#39;s i_mutex before it<br /> * is executed. It also assumes that the caller will make the appropriate<br /> * permission checks.<br /> <br /> nfsd_setattr() does do permissions checking via fh_verify() and<br /> nfsd_permission(), but those don&amp;#39;t do all the same permissions checks<br /> that are done by security_inode_setxattr() and its related LSM hooks do.<br /> <br /> Since nfsd_setattr() is the only consumer of security_inode_setsecctx(),<br /> simplest solution appears to be to replace the call to<br /> __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This<br /> fixes the above issue and has the added benefit of causing nfsd to<br /> recall conflicting delegations on a file when a client tries to change<br /> its security label.