Vulnerabilities

A vulnerability was found in code-projects Pharmacy Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?id=userProfileEdit of the component Update My Profile Page. The manipulation of the argument fname/lname/email with the input alert(1) leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kcm: Serialise kcm_sendmsg() for the same socket.<br /> <br /> syzkaller reported UAF in kcm_release(). [0]<br /> <br /> The scenario is<br /> <br /> 1. Thread A builds a skb with MSG_MORE and sets kcm-&gt;seq_skb.<br /> <br /> 2. Thread A resumes building skb from kcm-&gt;seq_skb but is blocked<br /> by sk_stream_wait_memory()<br /> <br /> 3. Thread B calls sendmsg() concurrently, finishes building kcm-&gt;seq_skb<br /> and puts the skb to the write queue<br /> <br /> 4. Thread A faces an error and finally frees skb that is already in the<br /> write queue<br /> <br /> 5. kcm_release() does double-free the skb in the write queue<br /> <br /> When a thread is building a MSG_MORE skb, another thread must not touch it.<br /> <br /> Let&amp;#39;s add a per-sk mutex and serialise kcm_sendmsg().<br /> <br /> [0]:<br /> BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]<br /> BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]<br /> BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]<br /> BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]<br /> BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691<br /> Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167<br /> <br /> CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br /> Call trace:<br /> dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291<br /> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x178/0x518 mm/kasan/report.c:488<br /> kasan_report+0xd8/0x138 mm/kasan/report.c:601<br /> __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381<br /> __skb_unlink include/linux/skbuff.h:2366 [inline]<br /> __skb_dequeue include/linux/skbuff.h:2385 [inline]<br /> __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]<br /> __skb_queue_purge include/linux/skbuff.h:3181 [inline]<br /> kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691<br /> __sock_release net/socket.c:659 [inline]<br /> sock_close+0xa4/0x1e8 net/socket.c:1421<br /> __fput+0x30c/0x738 fs/file_table.c:376<br /> ____fput+0x20/0x30 fs/file_table.c:404<br /> task_work_run+0x230/0x2e0 kernel/task_work.c:180<br /> exit_task_work include/linux/task_work.h:38 [inline]<br /> do_exit+0x618/0x1f64 kernel/exit.c:871<br /> do_group_exit+0x194/0x22c kernel/exit.c:1020<br /> get_signal+0x1500/0x15ec kernel/signal.c:2893<br /> do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249<br /> do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148<br /> exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]<br /> exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]<br /> el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713<br /> el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730<br /> el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598<br /> <br /> Allocated by task 6166:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x40/0x78 mm/kasan/common.c:68<br /> kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626<br /> unpoison_slab_object mm/kasan/common.c:314 [inline]<br /> __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340<br /> kasan_slab_alloc include/linux/kasan.h:201 [inline]<br /> slab_post_alloc_hook mm/slub.c:3813 [inline]<br /> slab_alloc_node mm/slub.c:3860 [inline]<br /> kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903<br /> __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641<br /> alloc_skb include/linux/skbuff.h:1296 [inline]<br /> kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> sock_sendmsg+0x220/0x2c0 net/socket.c:768<br /> splice_to_socket+0x7cc/0xd58 fs/splice.c:889<br /> do_splice_from fs/splice.c:941 [inline]<br /> direct_splice_actor+0xec/0x1d8 fs/splice.c:1164<br /> splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108<br /> do_splice_direct_actor <br /> ---truncated---

The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.

The WP Events Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 2.1.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The Share This Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;alignment&amp;#39; parameter in all versions up to, and including, 2.01 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

NVIDIA CUDA Toolkit contains a vulnerability in command &amp;#39;cuobjdump&amp;#39; where a user may cause a crash or produce incorrect output by passing a malformed ELF file. A successful exploit of this vulnerability may lead to a limited denial of service or data tampering.

NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` where a user may cause a crash by passing in a malformed ELF file. A successful exploit of this vulnerability may cause an out of bounds read in the unprivileged process memory which could lead to a limited denial of service.

NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` where a user may cause an out-of-bound write by passing in a malformed ELF file. A successful exploit of this vulnerability may lead to code execution or denial of service.

The IP Vault – WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.

The WP Cerber Security plugin for WordPress is vulnerable to IP Protection bypass in versions up to, and including 9.4 due to the plugin improperly checking for a visitor&amp;#39;s IP address. This makes it possible for an attacker whose IP address has been blocked to bypass this control by setting the X-Forwarded-For: HTTP header to an IP Address that hasn&amp;#39;t been blocked.

Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contains an incorrect privilege assignment vulnerability. A local high privileged attacker could potentially exploit this vulnerability to gain root-level access.

The WPZOOM Portfolio Lite – Filterable Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the &amp;#39;wp:wpzoom-blocks&amp;#39; Gutenberg block in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.