Spoofing

In the Linux kernel, the following vulnerability has been resolved: parisc: Clear stale IIR value on instruction access rights trap When a trap 7 Instruction access rights occurs, this means the CPU couldn't execute an instruction due to missing execute permissions on the memory region. In this...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix listhead check warning This is caused by uninitialization of listhead. BUG: KASAN: use-after-free in listdelentryvalid+0x34/0xe4 Call trace: dumpbacktrace+0x0/0x298 showstack+0x24/0x34 dumpstack+0x130/0x1a8...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: i2c: validate user data in compat ioctl Wrong user data may cause warning in i2ctransfer, ex: zero msgs. Userspace should not be able to trigger warnings, so this patch adds validation checks for user data in compact ioctl to...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: binder: fix asyncfreespace accounting for empty parcels In 4.13, commit 74310e06be4d "android: binder: Move buffer out of area shared with user space" fixed a kernel structure visibility issue. As part of that patch, sizeofvoid w...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in flushwork. This warning is caused by work-func == NULL, which means missing work initialization. This may happen, since inputdev-close...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ffs: Clear ffseventfd in ffsdataclear. ffsdataclear is indirectly called from both ffsfskillsb and ffsep0release, so it ends up being called twice when userland closes ep0 and then unmounts ffs. If userland provided ...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: net: fix use-after-free in twtimerhandler A real world panic issue was found as follow in Linux 5.4. BUG: unable to handle page fault for address: ffffde49a863de28 PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfstargetidswrite' DAMON debugfs interface increases the reference counts of 'struct pid's for targets from the 'targetids' file write callback 'dbgfstargetidswrite', but decreases the...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: sctp: use callrcu to free endpoint This patch is to delay the endpoint free by calling callrcu to fix another use-after-free issue in sctpsockdump: BUG: KASAN: use-after-free in lockacquire+0x36d9/0x4c20 Call Trace:...

Stack overflow

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Wrap the tx reporter dump callback to extract the sq Function mlx5etxreporterdumpsq casts its void argument to struct mlx5etxqsq , but in TX-timeout-recovery flow the argument is actually of type struct mlx5etxtimeoutc...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix TPM reservation for seal/unseal The original patch 8c657a0590de "KEYS: trusted: Reserve TPM for seal and unseal operations" was correct on the mailing list:...

Code injection

The Spiffy Calendar WordPress plugin before 4.9.9 doesn't check the eventauthor parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+...

Cross site scripting

The Shariff Wrapper WordPress plugin before 4.6.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Code injection

Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host...

Authentication flaw

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JM...

Code injection

The WP JobSearch WordPress plugin before 2.3.4 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server...

Code injection

The WP JobSearch WordPress plugin before 2.3.4 does not prevent attackers from logging-in as any users with the only knowledge of that user's email address...

Cross site scripting

The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Cross site scripting

The Persian Fonts WordPress plugin through 1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Information disclosure

The JetBackup WordPress plugin before 2.0.9.9 doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files...

Privilege escalation

The WP Dashboard Notes WordPress plugin before 1.0.11 is vulnerable to Insecure Direct Object References IDOR in postid= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of...

Cross site request forgery (csrf)

The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow...

Cross site request forgery (csrf)

The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its testerror AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: net: Make tcpallowedcongestioncontrol readonly in non-init netns Currently, tcpallowedcongestioncontrol is global and writable; writing to it in any net namespace will leak into all other net namespaces...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq cleanup of WQCFG registers A pre-release silicon erratum workaround where wq reset does not clear WQCFG registers was leaked into upstream code. Use wq reset command instead of blasting the MMIO region. Th...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: bpf: Use correct permission flag for mixed signed bounds arithmetic We forbid adding unknown scalars with mixed signed bounds due to the spectre v1 masking mitigation. Hence this also needs bypassspecv1 flag instead of...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Don't use vcpu-run-internal.ndata as an array index vmxhandleexit uses vcpu-run-internal.ndata as an index for an array access. Since vcpu-run is can be mapped to a user address space with a writer permission, the 'ndat...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: clone set element expression template memcpy breaks when using connlimit in set elements. Use nftexprclone to initialize the connlimit expression list, otherwise connlimit garbage collector crashes when walki...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: chktls: Fix kernel panic Taking page refcount is not ideal and causes kernel panic sometimes. It's better to take txctx lock for the complete skb transmit, to avoid page cleanup if ACK received in middle...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: ARM: footbridge: fix PCI interrupt mapping Since commit 30fdfb929e82 "PCI: Add a call to pciassignirq in pcideviceprobe", the PCI code will call the IRQ mapping function whenever a PCI driver is probed. If these are marked as ini...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUGKMAPLOCAL is enabled The debugging code for kmaplocal doubles the number of per-CPU fixmap slots allocated for kmaplocal, in order to use half of them as guard regions. This...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix unbalanced device enable/disable in suspend/resume pcidisabledevice called in ixgbeshutdown decreases dev-enablecnt by 1. pcienabledevicemem which increases dev-enablecnt by 1, was removed from ixgberesume in commit...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftlimit: avoid possible divide error in nftlimitinit divu64 divides u64 by u32. nftlimitinit wants to divide u64 by u64, use the appropriate math function div64u64 divide error: 0000 1 PREEMPT SMP KASAN CPU: 1 PID: 83...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: clear MSIX permission entry on shutdown Add disabling/clearing of MSIX permission entries on device shutdown to mirror the enabling of the MSIX entries on probe. Current code left the MSIX enabled and the pasid...

Buffer overflow

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback Current code blindly writes over the SWERR and the OVERFLOW bits. Write back the bits actually read instead so the driver avoids clobbering the OVERFLOW bit that...

Null pointer dereference

In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix NULL pointer dereference in ethtool loopback test The ixgbe driver currently generates a NULL pointer dereference when performing the ethtool loopback test. This is due to the fact that there isn't a qvector associated...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq size store permission state WQ size can only be changed when the device is disabled. Current code allows change when device is enabled but wq is disabled. Change the check to detect device state...

Authentication flaw

Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require the attacker also be...

Authentication flaw

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to unauthorized execution of shortcodes due to a missing capability check on the gettexteditorcontent function in all versions up to, and including, 1.1.2. This makes it possible for authenticat...

Sql injection

The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and la...

Authorization

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the applylayout function due to a missing capability check. This makes it possible for authenticated attackers, with...

Cross site scripting

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Type Grid Widget Title in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

Denial of service

Insufficient Resource Pool vulnerability in Ethernet function of Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules allows a remote attacker to cause a temporary Denial of Service condition for a certain period of time in Ethernet communication of the products by performing TCP SYN...

Sql injection

Code-projects Simple Stock System 1.0 is vulnerable to SQL Injection...

Directory traversal

diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/idrsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted...

Sql injection

SQL injection vulnerability in Dynamic Lab Management System Project in PHP v.1.0 allows a remote attacker to execute arbitrary code via a crafted script...

Sql injection

Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection via BookSBIN...

Sql injection

Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection via PublisherID...

Sql injection

Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection under Employment Status Information Update...

Design/Logic Flaw

An arbitrary file upload vulnerability in the Update/Edit Student's Profile Picture function of Student Enrollment In PHP v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file...