Vulnerabilities

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05. <br /> <br /> Honeywell released firmware update package MPA2 firmware R1.00.08.05 which addresses this vulnerability. This version and all later versions<br /> correct the reported vulnerability.<br /> <br />

Missing Authorization vulnerability in Perfmatters.This issue affects Perfmatters: from n/a through 2.1.6.<br /> <br />

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Melapress WP Activity Log allows Stored XSS.This issue affects WP Activity Log: from n/a through 4.6.1.<br /> <br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: powermate - fix use-after-free in powermate_config_complete<br /> <br /> syzbot has found a use-after-free bug [1] in the powermate driver. This<br /> happens when the device is disconnected, which leads to a memory free from<br /> the powermate_device struct. When an asynchronous control message<br /> completes after the kfree and its callback is invoked, the lock does not<br /> exist anymore and hence the bug.<br /> <br /> Use usb_kill_urb() on pm-&gt;config to cancel any in-progress requests upon<br /> device disconnection.<br /> <br /> [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: hub: Guard against accesses to uninitialized BOS descriptors<br /> <br /> Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h<br /> access fields inside udev-&gt;bos without checking if it was allocated and<br /> initialized. If usb_get_bos_descriptor() fails for whatever<br /> reason, udev-&gt;bos will be NULL and those accesses will result in a<br /> crash:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000018<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <br /> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021<br /> Workqueue: usb_hub_wq hub_event<br /> RIP: 0010:hub_port_reset+0x193/0x788<br /> Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9<br /> RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310<br /> RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840<br /> RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060<br /> R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000<br /> R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0<br /> Call Trace:<br /> hub_event+0x73f/0x156e<br /> ? hub_activate+0x5b7/0x68f<br /> process_one_work+0x1a2/0x487<br /> worker_thread+0x11a/0x288<br /> kthread+0x13a/0x152<br /> ? process_one_work+0x487/0x487<br /> ? kthread_associate_blkcg+0x70/0x70<br /> ret_from_fork+0x1f/0x30<br /> <br /> Fall back to a default behavior if the BOS descriptor isn&amp;#39;t accessible<br /> and skip all the functionalities that depend on it: LPM support checks,<br /> Super Speed capabilitiy checks, U1/U2 states setup.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect<br /> <br /> hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)<br /> races when it races with itself.<br /> <br /> hidpp_connect_event() primarily runs from a workqueue but it also runs<br /> on probe() and if a "device-connected" packet is received by the hw<br /> when the thread running hidpp_connect_event() from probe() is waiting on<br /> the hw, then a second thread running hidpp_connect_event() will be<br /> started from the workqueue.<br /> <br /> This opens the following races (note the below code is simplified):<br /> <br /> 1. Retrieving + printing the protocol (harmless race):<br /> <br /> if (!hidpp-&gt;protocol_major) {<br /> hidpp_root_get_protocol_version()<br /> hidpp-&gt;protocol_major = response.rap.params[0];<br /> }<br /> <br /> We can actually see this race hit in the dmesg in the abrt output<br /> attached to rhbz#2227968:<br /> <br /> [ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.<br /> [ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.<br /> <br /> Testing with extra logging added has shown that after this the 2 threads<br /> take turn grabbing the hw access mutex (send_mutex) so they ping-pong<br /> through all the other TOCTOU cases managing to hit all of them:<br /> <br /> 2. Updating the name to the HIDPP name (harmless race):<br /> <br /> if (hidpp-&gt;name == hdev-&gt;name) {<br /> ...<br /> hidpp-&gt;name = new_name;<br /> }<br /> <br /> 3. Initializing the power_supply class for the battery (problematic!):<br /> <br /> hidpp_initialize_battery()<br /> {<br /> if (hidpp-&gt;battery.ps)<br /> return 0;<br /> <br /> probe_battery(); /* Blocks, threads take turns executing this */<br /> <br /> hidpp-&gt;battery.desc.properties =<br /> devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);<br /> <br /> hidpp-&gt;battery.ps =<br /> devm_power_supply_register(&amp;hidpp-&gt;hid_dev-&gt;dev,<br /> &amp;hidpp-&gt;battery.desc, cfg);<br /> }<br /> <br /> 4. Creating delayed input_device (potentially problematic):<br /> <br /> if (hidpp-&gt;delayed_input)<br /> return;<br /> <br /> hidpp-&gt;delayed_input = hidpp_allocate_input(hdev);<br /> <br /> The really big problem here is 3. Hitting the race leads to the following<br /> sequence:<br /> <br /> hidpp-&gt;battery.desc.properties =<br /> devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);<br /> <br /> hidpp-&gt;battery.ps =<br /> devm_power_supply_register(&amp;hidpp-&gt;hid_dev-&gt;dev,<br /> &amp;hidpp-&gt;battery.desc, cfg);<br /> <br /> ...<br /> <br /> hidpp-&gt;battery.desc.properties =<br /> devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);<br /> <br /> hidpp-&gt;battery.ps =<br /> devm_power_supply_register(&amp;hidpp-&gt;hid_dev-&gt;dev,<br /> &amp;hidpp-&gt;battery.desc, cfg);<br /> <br /> So now we have registered 2 power supplies for the same battery,<br /> which looks a bit weird from userspace&amp;#39;s pov but this is not even<br /> the really big problem.<br /> <br /> Notice how:<br /> <br /> 1. This is all devm-maganaged<br /> 2. The hidpp-&gt;battery.desc struct is shared between the 2 power supplies<br /> 3. hidpp-&gt;battery.desc.properties points to the result from the second<br /> devm_kmemdup()<br /> <br /> This causes a use after free scenario on USB disconnect of the receiver:<br /> 1. The last registered power supply class device gets unregistered<br /> 2. The memory from the last devm_kmemdup() call gets freed,<br /> hidpp-&gt;battery.desc.properties now points to freed memory<br /> 3. The first registered power supply class device gets unregistered,<br /> this involves sending a remove uevent to userspace which invokes<br /> power_supply_uevent() to fill the uevent data<br /> 4. power_supply_uevent() uses hidpp-&gt;battery.desc.properties which<br /> now points to freed memory leading to backtraces like this one:<br /> <br /> Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08<br /> ...<br /> Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event<br /> Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0<br /> ...<br /> Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30<br /> Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0<br /> Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0<br /> Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0<br /> Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680<br /> Sep 22 20:01:35 eric kernel: <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix uaf in smb20_oplock_break_ack<br /> <br /> drop reference after use opinfo.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86/lbr: Filter vsyscall addresses<br /> <br /> We found that a panic can occur when a vsyscall is made while LBR sampling<br /> is active. If the vsyscall is interrupted (NMI) for perf sampling, this<br /> call sequence can occur (most recent at top):<br /> <br /> __insn_get_emulate_prefix()<br /> insn_get_emulate_prefix()<br /> insn_get_prefixes()<br /> insn_get_opcode()<br /> decode_branch_type()<br /> get_branch_type()<br /> intel_pmu_lbr_filter()<br /> intel_pmu_handle_irq()<br /> perf_event_nmi_handler()<br /> <br /> Within __insn_get_emulate_prefix() at frame 0, a macro is called:<br /> <br /> peek_nbyte_next(insn_byte_t, insn, i)<br /> <br /> Within this macro, this dereference occurs:<br /> <br /> (insn)-&gt;next_byte<br /> <br /> Inspecting registers at this point, the value of the next_byte field is the<br /> address of the vsyscall made, for example the location of the vsyscall<br /> version of gettimeofday() at 0xffffffffff600000. The access to an address<br /> in the vsyscall region will trigger an oops due to an unhandled page fault.<br /> <br /> To fix the bug, filtering for vsyscalls can be done when<br /> determining the branch type. This patch will return<br /> a "none" branch if a kernel address if found to lie in the<br /> vsyscall region.

Cross-Site Request Forgery (CSRF) vulnerability in Thrive Themes Thrive Automator.This issue affects Thrive Automator: from n/a through 1.17.<br /> <br />

Cross-Site Request Forgery (CSRF) vulnerability in СleanTalk - Anti-Spam Protection Spam protection, Anti-Spam, FireWall by CleanTalk.This issue affects Spam protection, Anti-Spam, FireWall by CleanTalk: from n/a through 6.20.<br /> <br />

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s advanced_iframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS files from external sources through the additional_js attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Tainacan.Org Tainacan.This issue affects Tainacan: from n/a through 0.20.6.<br /> <br />