Vulnerabilities

After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

After Effects versions 23.6.6, 24.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Illustrator versions 28.6, 27.9.5 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The WP Test Email plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vmwgfx: Disable coherent dumb buffers without 3d<br /> <br /> Coherent surfaces make only sense if the host renders to them using<br /> accelerated apis. Without 3d the entire content of dumb buffers stays<br /> in the guest making all of the extra work they&amp;#39;re doing to synchronize<br /> between guest and host useless.<br /> <br /> Configurations without 3d also tend to run with very low graphics<br /> memory limits. The pinned console fb, mob cursors and graphical login<br /> manager tend to run out of 16MB graphics memory that those guests use.<br /> <br /> Fix it by making sure the coherent dumb buffers are only used on<br /> configs with 3d enabled.

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

The Classified Listing – Classified ads &amp; Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libfs: fix infinite directory reads for offset dir<br /> <br /> After we switch tmpfs dir operations from simple_dir_operations to<br /> simple_offset_dir_operations, every rename happened will fill new dentry<br /> to dest dir&amp;#39;s maple tree(&amp;SHMEM_I(inode)-&gt;dir_offsets-&gt;mt) with a free<br /> key starting with octx-&gt;newx_offset, and then set newx_offset equals to<br /> free key + 1. This will lead to infinite readdir combine with rename<br /> happened at the same time, which fail generic/736 in xfstests(detail show<br /> as below).<br /> <br /> 1. create 5000 files(1 2 3...) under one dir<br /> 2. call readdir(man 3 readdir) once, and get one entry<br /> 3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry)<br /> 4. loop 2~3, until readdir return nothing or we loop too many<br /> times(tmpfs break test with the second condition)<br /> <br /> We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite<br /> directory reads") to fix it, record the last_index when we open dir, and<br /> do not emit the entry which index &gt;= last_index. The file-&gt;private_data<br /> now used in offset dir can use directly to do this, and we also update<br /> the last_index when we llseek the dir file.<br /> <br /> [brauner: only update last_index after seek when offset is zero like Jan suggested]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thunderbolt: Mark XDomain as unplugged when router is removed<br /> <br /> I noticed that when we do discrete host router NVM upgrade and it gets<br /> hot-removed from the PCIe side as a result of NVM firmware authentication,<br /> if there is another host connected with enabled paths we hang in tearing<br /> them down. This is due to fact that the Thunderbolt networking driver<br /> also tries to cleanup the paths and ends up blocking in<br /> tb_disconnect_xdomain_paths() waiting for the domain lock.<br /> <br /> However, at this point we already cleaned the paths in tb_stop() so<br /> there is really no need for tb_disconnect_xdomain_paths() to do that<br /> anymore. Furthermore it already checks if the XDomain is unplugged and<br /> bails out early so take advantage of that and mark the XDomain as<br /> unplugged when we remove the parent router.