Vulnerabilities

The School Management System – SakolaWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing or incorrect nonce validation on the 'save_exam_setting' and 'delete_exam_setting' actions. This makes it possible for unauthenticated attackers to update exam settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider template data in all versions up to, and including, 1.39.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The OneStore Sites plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.1.1 via the class-export.php file. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations.<br /> <br /> Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: clear acl_access/acl_default after releasing them<br /> <br /> If getting acl_default fails, acl_access and acl_default will be released<br /> simultaneously. However, acl_access will still retain a pointer pointing<br /> to the released posix_acl, which will trigger a WARNING in<br /> nfs3svc_release_getacl like this:<br /> <br /> ------------[ cut here ]------------<br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28<br /> refcount_warn_saturate+0xb5/0x170<br /> Modules linked in:<br /> CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted<br /> 6.12.0-rc6-00079-g04ae226af01f-dirty #8<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> 1.16.1-2.fc37 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0xb5/0x170<br /> Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75<br /> e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff 0b eb<br /> cd 0f b6 1d 8a3<br /> RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde<br /> RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380<br /> RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56<br /> R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001<br /> R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0<br /> FS: 0000000000000000(0000) GS:ffff88871ed00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? refcount_warn_saturate+0xb5/0x170<br /> ? __warn+0xa5/0x140<br /> ? refcount_warn_saturate+0xb5/0x170<br /> ? report_bug+0x1b1/0x1e0<br /> ? handle_bug+0x53/0xa0<br /> ? exc_invalid_op+0x17/0x40<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? tick_nohz_tick_stopped+0x1e/0x40<br /> ? refcount_warn_saturate+0xb5/0x170<br /> ? refcount_warn_saturate+0xb5/0x170<br /> nfs3svc_release_getacl+0xc9/0xe0<br /> svc_process_common+0x5db/0xb60<br /> ? __pfx_svc_process_common+0x10/0x10<br /> ? __rcu_read_unlock+0x69/0xa0<br /> ? __pfx_nfsd_dispatch+0x10/0x10<br /> ? svc_xprt_received+0xa1/0x120<br /> ? xdr_init_decode+0x11d/0x190<br /> svc_process+0x2a7/0x330<br /> svc_handle_xprt+0x69d/0x940<br /> svc_recv+0x180/0x2d0<br /> nfsd+0x168/0x200<br /> ? __pfx_nfsd+0x10/0x10<br /> kthread+0x1a2/0x1e0<br /> ? kthread+0xf4/0x1e0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x60<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Kernel panic - not syncing: kernel: panic_on_warn set ...<br /> <br /> Clear acl_access/acl_default after posix_acl_release is called to prevent<br /> UAF from being triggered.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: corsair-void: Add missing delayed work cancel for headset status<br /> <br /> The cancel_delayed_work_sync() call was missed, causing a use-after-free<br /> in corsair_void_remove().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: fix hang in nfsd4_shutdown_callback<br /> <br /> If nfs4_client is in courtesy state then there is no point to send<br /> the callback. This causes nfsd4_shutdown_callback to hang since<br /> cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP<br /> notifies NFSD that the connection was dropped.<br /> <br /> This patch modifies nfsd4_run_cb_work to skip the RPC call if<br /> nfs4_client is in courtesy state.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt<br /> <br /> If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE<br /> socket option, a refcount leak will occur in ax25_release().<br /> <br /> Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()")<br /> added decrement of device refcounts in ax25_release(). In order for that<br /> to work correctly the refcounts must already be incremented when the<br /> device is bound to the socket. An AX25 device can be bound to a socket<br /> by either calling ax25_bind() or setting SO_BINDTODEVICE socket option.<br /> In both cases the refcounts should be incremented, but in fact it is done<br /> only in ax25_bind().<br /> <br /> This bug leads to the following issue reported by Syzkaller:<br /> <br /> ================================================================<br /> refcount_t: decrement hit 0; leaking memory.<br /> WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31<br /> Modules linked in:<br /> CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31<br /> Call Trace:<br /> <br /> __refcount_dec include/linux/refcount.h:336 [inline]<br /> refcount_dec include/linux/refcount.h:351 [inline]<br /> ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236<br /> netdev_tracker_free include/linux/netdevice.h:4156 [inline]<br /> netdev_put include/linux/netdevice.h:4173 [inline]<br /> netdev_put include/linux/netdevice.h:4169 [inline]<br /> ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069<br /> __sock_release+0xb0/0x270 net/socket.c:640<br /> sock_close+0x1c/0x30 net/socket.c:1408<br /> ...<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> ================================================================<br /> <br /> Fix the implementation of ax25_setsockopt() by adding increment of<br /> refcounts for the new device bound, and decrement of refcounts for<br /> the old unbound device.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: sn-f-ospi: Fix division by zero<br /> <br /> When there is no dummy cycle in the spi-nor commands, both dummy bus cycle<br /> bytes and width are zero. Because of the cpu&amp;#39;s warning when divided by<br /> zero, the warning should be avoided. Return just zero to avoid such<br /> calculations.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()<br /> <br /> Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from<br /> hid-thrustmaster driver. This array is passed to usb_check_int_endpoints<br /> function from usb.c core driver, which executes a for loop that iterates<br /> over the elements of the passed array. Not finding a null element at the end of<br /> the array, it tries to read the next, non-existent element, crashing the kernel.<br /> <br /> To fix this, a 0 element was added at the end of the array to break the for<br /> loop.<br /> <br /> [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> workqueue: Put the pwq after detaching the rescuer from the pool<br /> <br /> The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and<br /> remove detach_completion") adds code to reap the normal workers but<br /> mistakenly does not handle the rescuer and also removes the code waiting<br /> for the rescuer in put_unbound_pool(), which caused a use-after-free bug<br /> reported by Cheung Wall.<br /> <br /> To avoid the use-after-free bug, the pool’s reference must be held until<br /> the detachment is complete. Therefore, move the code that puts the pwq<br /> after detaching the rescuer from the pool.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vrf: use RCU protection in l3mdev_l3_out()<br /> <br /> l3mdev_l3_out() can be called without RCU being held:<br /> <br /> raw_sendmsg()<br /> ip_push_pending_frames()<br /> ip_send_skb()<br /> ip_local_out()<br /> __ip_local_out()<br /> l3mdev_ip_out()<br /> <br /> Add rcu_read_lock() / rcu_read_unlock() pair to avoid<br /> a potential UAF.