Vulnerability Summary for the Week of February 19, 2024

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
agronholm — cbor2 cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue. 2024-02-19 7.5 CVE-2024-26134
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
alfio-event — alf.io alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` endpoint, which exposes the details of the provided user ID. This may also expose the API KEY in the username of the user. Version 2.0-M4-2402 fixes this issue. 2024-02-19 8.8 CVE-2024-25635
security-advisories@github.com
alfio-event — alf.io alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, an attacker can access data from other organizers. The attacker can use a specially crafted request to receive the e-mail log sent by other events. Version 2.0-M4-2402 fixes this issue. 2024-02-19 7.2 CVE-2024-25634
security-advisories@github.com
anton_kueltz — fastecdsa Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable’s actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability. 2024-02-24 7.5 CVE-2024-21502
report@snyk.io
report@snyk.io
report@snyk.io
report@snyk.io
areal_topkapi — webserv2 An unauthenticated remote attacker can bypass the brute force prevention mechanism and disturb the webservice for all users. 2024-02-22 7.5 CVE-2024-1104
info@cert.vde.com
b&r_industrial_automation — automation_studio B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data. Missing Encryption of Sensitive Data, Cleartext Transmission of Sensitive Information, Improper Control of Generation of Code (‘Code Injection’), Inadequate Encryption Strength vulnerability in B&R Industrial Automation B&R Automation Studio (Upgrade Service modules), B&R Industrial Automation Technology Guarding.This issue affects B&R Automation Studio: <4.6; Technology Guarding: <1.4.0. 2024-02-22 8.3 CVE-2024-0220
cybersecurity@ch.abb.com
backstage — backstage `@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10. 2024-02-23 8.7 CVE-2024-26150
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
brivo — acs100,_acs300 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Brivo ACS100, ACS300 allows OS Command Injection, Bypassing Physical Security.This issue affects ACS100 (Network Adjacent Access), ACS300 (Physical Access): from 5.2.4 before 6.2.4.3. 2024-02-19 9 CVE-2023-6260
57dba5dd-1a03-47f6-8b36-e84e47d335d8
57dba5dd-1a03-47f6-8b36-e84e47d335d8
brivo — acs100,_acs300 Insufficiently Protected Credentials, : Improper Access Control vulnerability in Brivo ACS100, ACS300 allows Password Recovery Exploitation, Bypassing Physical Security.This issue affects ACS100, ACS300: from 5.2.4 before 6.2.4.3. 2024-02-19 7.1 CVE-2023-6259
57dba5dd-1a03-47f6-8b36-e84e47d335d8
57dba5dd-1a03-47f6-8b36-e84e47d335d8
code-projects — crime_reporting_system A vulnerability was found in code-projects Crime Reporting System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file inchargelogin.php. The manipulation of the argument email/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254608. 2024-02-23 7.3 CVE-2024-1820
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
code-projects — library_system A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file Source/librarian/user/student/login.php. The manipulation of the argument username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-254614 is the identifier assigned to this vulnerability. 2024-02-23 7.3 CVE-2024-1826
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
code-projects — library_system A vulnerability was found in code-projects Library System 1.0 and classified as critical. This issue affects some unknown processing of the file Source/librarian/user/teacher/login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254615. 2024-02-23 7.3 CVE-2024-1827
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
code-projects — library_system A vulnerability was found in code-projects Library System 1.0. It has been classified as critical. Affected is an unknown function of the file Source/librarian/user/teacher/registration.php. The manipulation of the argument email/idno/phone/username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254616. 2024-02-23 7.3 CVE-2024-1828
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
code-projects — library_system A vulnerability was found in code-projects Library System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file Source/librarian/user/student/registration.php. The manipulation of the argument email/regno/phone/username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254617 was assigned to this vulnerability. 2024-02-23 7.3 CVE-2024-1829
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
code-projects — library_system A vulnerability was found in code-projects Library System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file Source/librarian/user/student/lost-password.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-254618 is the identifier assigned to this vulnerability. 2024-02-23 7.3 CVE-2024-1830
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
codeastro — house_rental_management_system A vulnerability, which was classified as critical, has been found in CodeAstro House Rental Management System 1.0. Affected by this issue is some unknown functionality of the file signing.php. The manipulation of the argument uname/password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254612. 2024-02-23 7.3 CVE-2024-1824
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
connectwise — screenconnect ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. 2024-02-21 10 CVE-2024-1709
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
connectwise — screenconnect ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. 2024-02-21 8.4 CVE-2024-1708
9119a7d8-5eab-497f-8521-727c672e3725
9119a7d8-5eab-497f-8521-727c672e3725
demososo — dm_enterprise_website_building_system A vulnerability has been found in Demososo DM Enterprise Website Building System up to 2022.8 and classified as critical. Affected by this vulnerability is the function dmlogin of the file indexDM_load.php of the component Cookie Handler. The manipulation of the argument is_admin with the input y leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254605 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-23 7.3 CVE-2024-1817
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
discourse — discourse-microsoft-auth `discourse-microsoft-auth` is a plugin that enables authentication via Microsoft. On sites with the `discourse-microsoft-auth` plugin enabled, an attack can potentially take control of a victim’s Discourse account. Sites that have configured their application’s account type to any options other than `Accounts in this organizational directory only (O365 only – Single tenant)` are vulnerable. This vulnerability has been patched in commit c40665f44509724b64938c85def9fb2e79f62ec8 of `discourse-microsoft-auth`. A `microsoft_auth:revoke` rake task has also been added which will deactivate and log out all users that have connected their accounts to Microsoft. User API keys as well as API keys created by those users will also be revoked. The rake task will also remove the connection records to Microsoft for those users. This will allow affected users to re-verify their account emails as well as reconnect their Discourse account to Microsoft for authentication. As a workaround, disable the `discourse-microsoft-auth` plugin by setting the `microsoft_auth_enabled` site setting to `false`. Run the `microsoft_auth:log_out_users` rake task to log out all users with associated Microsoft accounts. 2024-02-21 9 CVE-2023-46241
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
dromara — hertzbeat Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability. 2024-02-22 9.8 CVE-2023-51388
security-advisories@github.com
security-advisories@github.com
dromara — hertzbeat Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability. 2024-02-22 9.8 CVE-2023-51389
security-advisories@github.com
security-advisories@github.com
dromara — hertzbeat Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The corresponding interface is `/api/monitor/detect`. If there is a URL field, the address will be used by default. When the URL is `service:jmx:rmi:///jndi/rmi://xxxxxxx:1099/localHikari`, it can be exploited to cause remote code execution. Version 1.4.1 contains a fix for this issue. 2024-02-22 9.8 CVE-2023-51653
security-advisories@github.com
security-advisories@github.com
electron-pdf — electron-pdf electron-pdf version 20.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user. 2024-02-20 7.5 CVE-2024-1648
help@fluidattacks.com
help@fluidattacks.com
eprosima — fast-dds eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Even with the application of SROS2, due to the issue where the data (`p[UD]`) and `guid` values used to disconnect between nodes are not encrypted, a vulnerability has been discovered where a malicious attacker can forcibly disconnect a Subscriber and can deny a Subscriber attempting to connect. Afterwards, if the attacker sends the packet for disconnecting, which is data (`p[UD]`), to the Global Data Space (`239.255.0.1:7400`) using the said Publisher ID, all the Subscribers (Listeners) connected to the Publisher (Talker) will not receive any data and their connection will be disconnected. Moreover, if this disconnection packet is sent continuously, the Subscribers (Listeners) trying to connect will not be able to do so. Since the initial commit of the `SecurityManager.cpp` code (`init`, `on_process_handshake`) on Nov 8, 2016, the Disconnect Vulnerability in RTPS Packets Used by SROS2 has been present prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7. 2024-02-19 9.6 CVE-2023-50257
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
felixschwarz — mjml-python The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `&lt;script&gt;` would be rendered as `<script>` in the final HTML output. The attacker must be able to control some data which is later injected in an mjml template which is then send out as email to other users. The attacker could control contents of email messages sent through the platform. The problem has been fixed in version 0.11.0 of this library. Versions before 0.10.0 are not affected by this security issue. As a workaround, ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML. 2024-02-22 8.2 CVE-2024-26151
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
fortinet — fortimanager A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 through 7.0.8 and 6.4.0 through 6.4.12 and 6.2.0 through 6.2.11 allows attacker to execute unauthorized code or commands via crafted HTTP requests. 2024-02-20 8.8 CVE-2023-42791
psirt@fortinet.com
fortinet — fortios A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.3, 7.0.0 through 7.0.10, 2.0.0 through 2.0.12, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to denial of service via specially crafted HTTP requests. 2024-02-22 7.5 CVE-2023-29180
psirt@fortinet.com
fortinet — fortipam A use of externally-controlled format string in Fortinet FortiOS 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.4, 7.0.0 through 7.0.10, 2.0.0 through 2.0.12, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiPAM 1.0.0 through 1.0.3 allows attacker to execute unauthorized code or commands via specially crafted command. 2024-02-22 8.8 CVE-2023-29181
psirt@fortinet.com
gitlab — gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.1. A crafted payload added to the user profile page could lead to a stored XSS on the client side, allowing attackers to perform arbitrary actions on behalf of victims.” 2024-02-22 8.7 CVE-2024-1451
cve@gitlab.com
cve@gitlab.com
gitlab — gitlab An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict. 2024-02-22 7.7 CVE-2024-0410
cve@gitlab.com
cve@gitlab.com
gofiber — fiber Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this. 2024-02-21 9.4 CVE-2024-25124
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
helm — helm Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic. 2024-02-21 7.5 CVE-2024-26147
security-advisories@github.com
security-advisories@github.com
hitachi — hitachi_global_link_manager Expression Language Injection vulnerability in Hitachi Global Link Manager on Windows allows Code Injection.This issue affects Hitachi Global Link Manager: before 8.8.7-03. 2024-02-20 7.6 CVE-2024-0715
hirt@hitachi.co.jp
ibm — aix IBM AIX 7.3, VIOS 4.1’s Perl implementation could allow a non-privileged local user to exploit a vulnerability to execute arbitrary commands. IBM X-Force ID: 281320. 2024-02-22 8.4 CVE-2024-25021
psirt@us.ibm.com
psirt@us.ibm.com
ibm — aspera_console IBM Aspera Console 3.4.0 through 3.4.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 239079. 2024-02-23 8.6 CVE-2022-43842
psirt@us.ibm.com
psirt@us.ibm.com
imaging_data_commons — libdicom A use-after-free vulnerability exists in the DICOM Element Parsing as implemented in Imaging Data Commons libdicom 1.0.5. A specially crafted DICOM file can cause premature freeing of memory that is used later. To trigger this vulnerability, an attacker would need to induce the vulnerable application to process a malicious DICOM image.The Use-After-Free happens in the `parse_meta_element_create()` parsing the elements in the File Meta Information header. 2024-02-20 8.1 CVE-2024-24793
talos-cna@cisco.com
imaging_data_commons — libdicom A use-after-free vulnerability exists in the DICOM Element Parsing as implemented in Imaging Data Commons libdicom 1.0.5. A specially crafted DICOM file can cause premature freeing of memory that is used later. To trigger this vulnerability, an attacker would need to induce the vulnerable application to process a malicious DICOM image.The Use-After-Free happens in the `parse_meta_sequence_end()` parsing the Sequence Value Represenations. 2024-02-20 8.1 CVE-2024-24794
talos-cna@cisco.com
internet_computer — agent-js Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. 2024-02-21 9.1 CVE-2024-1631
6b35d637-e00f-4228-858c-b20ad6e1d07b
6b35d637-e00f-4228-858c-b20ad6e1d07b
6b35d637-e00f-4228-858c-b20ad6e1d07b
6b35d637-e00f-4228-858c-b20ad6e1d07b
6b35d637-e00f-4228-858c-b20ad6e1d07b
kedi — electroncord kedi ElectronCord is a bot management tool for Discord. Commit aaaeaf4e6c99893827b2eea4dd02f755e1e24041 exposes an account access token in the `config.json` file. Malicious actors could potentially exploit this vulnerability to gain unauthorized access to sensitive information or perform malicious actions on behalf of the repository owner. As of time of publication, it is unknown whether the owner of the repository has rotated the token or taken other mitigation steps aside from informing users of the situation. 2024-02-20 7.5 CVE-2024-26136
security-advisories@github.com
security-advisories@github.com
liferay — portal Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field 2024-02-21 9 CVE-2023-40191
security@liferay.com
liferay — portal Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter. 2024-02-21 9.6 CVE-2023-42496
security@liferay.com
liferay — portal Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter. 2024-02-21 9.6 CVE-2023-42498
security@liferay.com
liferay — portal Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document’s “Title” text field. 2024-02-21 9 CVE-2023-47795
security@liferay.com
liferay — portal Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links. 2024-02-21 9.6 CVE-2024-25147
security@liferay.com
liferay — portal Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment. 2024-02-21 9 CVE-2024-25152
security@liferay.com
liferay — portal Stored cross-site scripting (XSS) vulnerability in Expando module’s geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field. 2024-02-21 9 CVE-2024-25601
security@liferay.com
liferay — portal Stored cross-site scripting (XSS) vulnerability in Users Admin module’s edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization’s “Name” text field 2024-02-21 9 CVE-2024-25602
security@liferay.com
liferay — portal Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module’s DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter. 2024-02-21 9 CVE-2024-25603
security@liferay.com
liferay — portal In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field. 2024-02-20 9 CVE-2024-25610
security@liferay.com
liferay — portal Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget. 2024-02-21 9 CVE-2024-26266
security@liferay.com
liferay — portal Cross-site scripting (XSS) vulnerability in the Frontend JS module’s portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL. 2024-02-21 9.6 CVE-2024-26269
security@liferay.com
liferay — portal XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method. 2024-02-20 8 CVE-2024-25606
security@liferay.com
liferay — portal The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes. 2024-02-20 8.1 CVE-2024-25607
security@liferay.com
loomio — loomio Loomio version 2.22.0 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection. 2024-02-20 10 CVE-2024-1297
help@fluidattacks.com
help@fluidattacks.com
mantisbt — mantisbt MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user’s email address and username can hijack the user’s account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`. 2024-02-20 8.3 CVE-2024-23830
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
mastodon — mastodon Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn’t check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue. 2024-02-19 8.5 CVE-2024-25623
security-advisories@github.com
security-advisories@github.com
materialsproject — pymatgen Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue. 2024-02-21 9.3 CVE-2024-23346
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
microsoft — microsoft_edge_(chromium-based) Microsoft Edge (Chromium-based) Information Disclosure Vulnerability 2024-02-23 8.2 CVE-2024-26192
secure@microsoft.com
misskey-dev — misskey Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn’t check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue. 2024-02-19 7.1 CVE-2024-25636
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
mlflow — mflow Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables. 2024-02-23 7.5 CVE-2024-27132
reefs@jfrog.com
reefs@jfrog.com
mlflow — mflow Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields. 2024-02-23 7.5 CVE-2024-27133
reefs@jfrog.com
reefs@jfrog.com
moodle — moodle Insufficient file size checks resulted in a denial of service risk in the file picker’s unzip functionality. 2024-02-19 7.5 CVE-2024-25978
patrick@puiterwijk.org
patrick@puiterwijk.org
patrick@puiterwijk.org
ni — systemlink_server Incorrect permissions in the installation directories for shared SystemLink Elixir based services may allow an authenticated user to potentially enable escalation of privilege via local access. 2024-02-20 7.8 CVE-2024-1155
security@ni.com
ni — systemlink_server Incorrect directory permissions for the shared NI RabbitMQ service may allow a local authenticated user to read RabbitMQ configuration information and potentially enable escalation of privileges. 2024-02-20 7.8 CVE-2024-1156
security@ni.com
onnx — onnx Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass for the patch added for CVE-2022-25882. 2024-02-23 7.5 CVE-2024-27318
6f8de1f0-f67e-45a6-b68f-98777fdb759c
6f8de1f0-f67e-45a6-b68f-98777fdb759c
open_vswitch — open_vswitch A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled. 2024-02-22 7.5 CVE-2023-3966
secalert@redhat.com
secalert@redhat.com
oppo — usercenter_credit_sdk In OPPO Usercenter Credit SDK, there’s a possible escalation of privilege due to loose permission check, This could lead to application internal information leak w/o user interaction. 2024-02-20 9.1 CVE-2024-1608
security@oppo.com
pgjdbc — pgjdbc pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected. 2024-02-19 10 CVE-2024-1597
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
pimcore — admin-ui-classic-bundle Pimcore’s Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input. The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker’s domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application’s domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent. 2024-02-19 8.1 CVE-2024-25625
security-advisories@github.com
security-advisories@github.com
powerpack_addons_for_elementor — powerpack_pro_for_elementor Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons for Elementor PowerPack Pro for Elementor.This issue affects PowerPack Pro for Elementor: from n/a before 2.10.8. 2024-02-21 7.1 CVE-2024-24843
audit@patchstack.com
progress_software — loadmaster Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution. 2024-02-21 10 CVE-2024-1212
security@progress.com
security@progress.com
security@progress.com
security@progress.com
progress_software_coproration — ws_ftp_server In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface. 2024-02-21 7.5 CVE-2024-1474
security@progress.com
security@progress.com
pyca — cryptography cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(…)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. 2024-02-21 7.5 CVE-2024-26130
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
pyhtml2pdf — pyhtml2pdf Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user. 2024-02-20 7.5 CVE-2024-1647
help@fluidattacks.com
help@fluidattacks.com
silicon_labs — gecko_platform A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of WestonFF Embedded uC-HTTP git commit 80d4004. A specially crafted network packet can lead to arbitrary code execution. An attacker can send a malicious packet to trigger this vulnerability. 2024-02-20 10 CVE-2023-45318
talos-cna@cisco.com
sitepact — sitepact Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Sitepact.This issue affects Sitepact: from n/a through 1.0.5. 2024-02-23 7.1 CVE-2024-25928
audit@patchstack.com
sourcecodester — complete_file_management_system A vulnerability, which was classified as critical, was found in SourceCodester Complete File Management System 1.0. Affected is an unknown function of the file users/index.php of the component Login Form. The manipulation of the argument username with the input torada%27+or+%271%27+%3D+%271%27+–+- leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-254622 is the identifier assigned to this vulnerability. 2024-02-23 7.3 CVE-2024-1831
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
sourcecodester — complete_file_management_system A vulnerability has been found in SourceCodester Complete File Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/ of the component Admin Login Form. The manipulation of the argument username with the input torada%27+or+%271%27+%3D+%271%27+–+- leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254623. 2024-02-23 7.3 CVE-2024-1832
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
sourcecodester — employee_management_system A vulnerability was found in SourceCodester Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /Account/login.php. The manipulation of the argument txtusername leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254624. 2024-02-23 7.3 CVE-2024-1833
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
spring — spring_framework Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to an open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. 2024-02-23 8.1 CVE-2024-22243
security@vmware.com
spring — spring_security In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication);method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html 2024-02-20 7.4 CVE-2024-22234
security@vmware.com
suite_crm — suite_crm Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI. 2024-02-20 9.9 CVE-2024-1644
help@fluidattacks.com
help@fluidattacks.com
tenable — tenable_identity_exposure_secure_relay A DLL injection vulnerability exists where an authenticated, low-privileged local attacker could modify application files on the TIE Secure Relay host, which could allow for overriding of the configuration and running of new Secure Relay services. 2024-02-23 7.3 CVE-2024-1683
vulnreport@tenable.com
the_biosig_project — libbiosig A heap-based buffer overflow vulnerability exists in the .egi parsing functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .egi file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 2024-02-20 9.8 CVE-2024-21795
talos-cna@cisco.com
the_biosig_project — libbiosig A double-free vulnerability exists in the BrainVision Header Parsing functionality of The Biosig Project libbiosig Master Branch (ab0ee111) and 2.5.0. A specially crafted .vdhr file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 2024-02-20 9.8 CVE-2024-22097
talos-cna@cisco.com
the_biosig_project — libbiosig An integer overflow vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to an out-of-bounds write which in turn can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 2024-02-20 9.8 CVE-2024-21812
talos-cna@cisco.com
the_biosig_project — libbiosig An out-of-bounds write vulnerability exists in the BrainVisionMarker Parsing functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .vmrk file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 2024-02-20 9.8 CVE-2024-23305
talos-cna@cisco.com
the_biosig_project — libbiosig A use-after-free vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 2024-02-20 9.8 CVE-2024-23310
talos-cna@cisco.com
the_biosig_project — libbiosig An integer underflow vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to an out-of-bounds write which in turn can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 2024-02-20 9.8 CVE-2024-23313
talos-cna@cisco.com
the_biosig_project — libbiosig An out-of-bounds write vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 2024-02-20 9.8 CVE-2024-23606
talos-cna@cisco.com
the_biosig_project — libbiosig A double-free vulnerability exists in the BrainVision ASCII Header Parsing functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .vdhr file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 2024-02-20 9.8 CVE-2024-23809
talos-cna@cisco.com
torrentpier — torrentpier Torrentpier version 2.4.1 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to insecure deserialization. 2024-02-20 10 CVE-2024-1651
help@fluidattacks.com
help@fluidattacks.com
totolink — lr1200gb A vulnerability classified as critical has been found in Totolink LR1200GB 9.1.0u.6619_B20230130/9.3.5u.6698_B20230810. Affected is the function loginAuth of the file /cgi-bin/cstecgi.cgi of the component Web Interface. The manipulation of the argument http_host leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-254574 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-23 9.8 CVE-2024-1783
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
undertow — undertow A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak. 2024-02-19 7.5 CVE-2024-1635
secalert@redhat.com
secalert@redhat.com
veritas — ediscovery_platform A vulnerability was discovered in Veritas eDiscovery Platform before 10.2.5. The application administrator can upload potentially malicious files to arbitrary locations on the server on which the application is installed. 2024-02-22 7.2 CVE-2024-27283
cve@mitre.org
vmware — vmware_enhanced_authentication_plug-in_(eap) Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). 2024-02-20 9.6 CVE-2024-22245
security@vmware.com
vmware — vmware_enhanced_authentication_plug-in_(eap) Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system. 2024-02-20 7.8 CVE-2024-22250
security@vmware.com
weston_embedded — uc-tcp-ip A double-free vulnerability exists in the IP header loopback parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted set of network packets can lead to memory corruption, potentially resulting in code execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability. 2024-02-20 8.7 CVE-2023-38562
talos-cna@cisco.com
ylianst — meshcentral MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to `control.ashx` as the victim user within MeshCentral. Version 1.1.21 contains a patch for this issue. 2024-02-20 8.3 CVE-2024-26135
security-advisories@github.com
security-advisories@github.com
yoctoproject — poky Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 (before and included Yocto Project 4.3.1), with the Toaster server (included in bitbake) running, missing input validation allows an attacker to perform a remote code execution in the server’s shell via a crafted HTTP request. Authentication is not necessary. Toaster server execution has to be specifically run and is not the default for Bitbake command line builds, it is only used for the Toaster web based user interface to Bitbake. The fix has been backported to the bitbake included with Yocto Project 5.0, 3.1.31, 4.0.16, and 4.3.2. 2024-02-19 8.8 CVE-2024-25626
security-advisories@github.com
zephyrproject-rtos — zephyr Signed to unsigned conversion esp32_ipm_send 2024-02-18 8 CVE-2023-6249
vulnerabilities@zephyrproject.org
zephyrproject-rtos — zephyr Unchecked length coming from user input in settings shell 2024-02-18 8 CVE-2023-6749
vulnerabilities@zephyrproject.org
zephyrproject-rtos — zephyr The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access, however this is only true when it is combined with other permissions, namely BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN (for read) or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN (for write), if these additional permissions are not set (even in secure connections only mode) then the stack does not perform any permission checks on these characteristics and they can be freely written/read. 2024-02-19 8.2 CVE-2024-1638
vulnerabilities@zephyrproject.org
zestardtechnologies — admin_side_data_storage_for_contact_form_7 The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the ‘form-id’ parameter in all versions up to, and including, 1.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2024-02-23 7.2 CVE-2024-1776
security@wordfence.com
security@wordfence.com
zyxel — atp_series_firmware A format string vulnerability in a function of the IPSec VPN feature in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, and USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1 could allow an attacker to achieve unauthorized remote code execution by sending a sequence of specially crafted payloads containing an invalid pointer; however, such an attack would require detailed knowledge of an affected device’s memory layout and configuration. 2024-02-20 8.1 CVE-2023-6764
security@zyxel.com.tw
zyxel — atp_series_firmware A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1, NWA50AX firmware versions through 6.29(ABYW.3), WAC500 firmware versions through 6.65(ABVS.1), WAX300H firmware versions through 6.60(ACHF.1), and WBE660S firmware versions through 6.65(ACGG.1) could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP. 2024-02-20 7.2 CVE-2023-6398
security@zyxel.com.tw

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apache — commons_compress Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue. 2024-02-19 5.5 CVE-2024-25710
security@apache.org
security@apache.org
apache — commons_compress Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue. 2024-02-19 5.5 CVE-2024-26308
security@apache.org
security@apache.org
apostrophe — sanitize-html Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server. 2024-02-24 5.3 CVE-2024-21501
report@snyk.io
report@snyk.io
report@snyk.io
report@snyk.io
report@snyk.io
archer — archer_platform Archer Platform 6.x before 6.14 P2 HF1 (6.14.0.2.1) contains a reflected XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this by tricking a victim application user into supplying malicious JavaScript code to the vulnerable web application. This code is then reflected to the victim and gets executed by the web browser in the context of the vulnerable web application. 2024-02-21 5.7 CVE-2024-26311
cve@mitre.org
cve@mitre.org
archer — archer_platform Denial of service condition in M-Files Server inversions before 24.2 (excluding 23.2 SR7 and 23.8 SR5) allows anonymous user to cause denial of service against other anonymous users. 2024-02-23 4.3 CVE-2024-0563
security@m-files.com
archer — platform Archer Platform 6.8 before 6.14 P2 (6.14.0.2) contains an improper access control vulnerability. A remote authenticated malicious user could potentially exploit this to gain access to API information that should only be accessible with extra privileges. 2024-02-21 4.3 CVE-2024-26310
cve@mitre.org
cve@mitre.org
arne_franken — all_in_one_favicon Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Arne Franken All In One Favicon.This issue affects All In One Favicon: from n/a through 4.7. 2024-02-23 6.8 CVE-2023-24416
audit@patchstack.com
baserproject — basercms baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability. 2024-02-22 5.4 CVE-2024-26128
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
baserproject — basercms baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the site search feature. Version 5.0.9 contains a fix for this vulnerability. 2024-02-22 6.1 CVE-2023-44379
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
baserproject — basercms baserCMS is a website development framework. Prior to version 5.0.9, there is an OS Command Injection vulnerability in the site search feature of baserCMS. Version 5.0.9 contains a fix for this vulnerability. 2024-02-22 5.6 CVE-2023-51450
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
c-ares — c-ares c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist. 2024-02-23 4.4 CVE-2024-25629
security-advisories@github.com
security-advisories@github.com
cilium — cilium Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue. 2024-02-20 6.1 CVE-2024-25630
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
cilium — cilium Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue. 2024-02-20 6.1 CVE-2024-25631
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
cisco — cisco_unified_intelligence_center A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control implementations on cluster configuration CLI requests. An attacker could exploit this vulnerability by sending a cluster configuration CLI request to specific directories on an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device. 2024-02-21 5.1 CVE-2024-20325
ykramarz@cisco.com
code-projects — crime_reporting_system A vulnerability was found in code-projects Crime Reporting System 1.0. It has been rated as critical. This issue affects some unknown processing of the file police_add.php. The manipulation of the argument police_name/police_id/police_spec/password leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-254609 was assigned to this vulnerability. 2024-02-23 5.5 CVE-2024-1821
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
codeastro — simple_voting_system A vulnerability classified as critical was found in CodeAstro Simple Voting System 1.0. Affected by this vulnerability is an unknown functionality of the file users.php of the component Backend. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254611. 2024-02-23 5.3 CVE-2024-1823
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
codeastro — house_rental_management_system A vulnerability, which was classified as problematic, was found in CodeAstro House Rental Management System 1.0. This affects an unknown part of the component User Registration Page. The manipulation of the argument address with the input <img src=”1″ onerror=”console.log(1)”> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254613 was assigned to this vulnerability. 2024-02-23 4.3 CVE-2024-1825
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
codeastro — membership_management_system A vulnerability was found in CodeAstro Membership Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /uploads/ of the component Logo Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-254606 is the identifier assigned to this vulnerability. 2024-02-23 4.7 CVE-2024-1818
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
codeastro — membership_management_system A vulnerability was found in CodeAstro Membership Management System 1.0. It has been classified as critical. This affects an unknown part of the component Add Members Tab. The manipulation of the argument Member Photo leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254607. 2024-02-23 4.7 CVE-2024-1819
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
david_stockl — tinymce_and_tinymce_advanced_professional_formats_and_styles Cross-Site Request Forgery (CSRF) vulnerability in David Stockl TinyMCE and TinyMCE Advanced Professsional Formats and Styles.This issue affects TinyMCE and TinyMCE Advanced Professsional Formats and Styles: from n/a through 1.1.2. 2024-02-21 4.3 CVE-2024-25904
audit@patchstack.com
decidim — decidim Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates. 2024-02-20 4.5 CVE-2023-47635
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
decidim — decidim Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `<svg onload=alert(‘XSS’)>` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals. 2024-02-20 6.3 CVE-2023-51447
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
decidim — decidim Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database. 2024-02-20 5.7 CVE-2023-48220
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
desertsnowman — plugin_groups The Plugin Groups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_init() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to change the settings of the plugin, which can also cause a denial of service due to a misconfiguration. 2024-02-21 6.5 CVE-2024-1108
security@wordfence.com
security@wordfence.com
dfir-iris — iris-web Iris is a web collaborative platform that helps incident responders share technical details during investigations. A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations in versions prior to v2.4.0. The vulnerability may allow an attacker to inject malicious scripts into the application, which could then be executed when a user visits the affected locations. This could lead to unauthorized access, data theft, or other related malicious activities. An attacker need to be authenticated on the application to exploit this vulnerability. The issue is fixed in version v2.4.0 of iris-web. No workarounds are available. 2024-02-19 4.6 CVE-2024-25640
security-advisories@github.com
discourse — discourse-calendar Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs (private messages) can be retrieved by anyone, even if they’re not logged in. This problem is resolved in version 0.4 of the discourse-calendar plugin. While no known workaround is available, putting the site behind `login_required` will disallow this endpoint to be used by anonymous users, but logged in users can still get the list of invitees in the private topics. 2024-02-22 4.3 CVE-2024-24817
security-advisories@github.com
security-advisories@github.com
discourse — discourse-calendar Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on Discourse. Uninvited users are able to gain access to private events by crafting a request to update their attendance. This problem is resolved in commit dfc4fa15f340189f177a1d1ab2cc94ffed3c1190. As a workaround, one may use post visibility to limit access. 2024-02-21 6.5 CVE-2024-26145
security-advisories@github.com
security-advisories@github.com
discourse– discourse-ai discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin. 2024-02-21 4.1 CVE-2024-23654
security-advisories@github.com
security-advisories@github.com
dompdf — php-svg-lib php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn’t contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn’t validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue. 2024-02-21 6.8 CVE-2024-25117
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
enalean — tuleap Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue. 2024-02-22 5.4 CVE-2024-25130
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
eteubert — archivist_-_custom_archive_templates The Archivist – Custom Archive Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode_attributes’ parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2024-02-24 6.1 CVE-2024-1810
security@wordfence.com
security@wordfence.com
eventstore — eventstore EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied. 2024-02-21 5.5 CVE-2024-26133
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
extendthemes — colibri_page_builder The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwp_install_plugin() function. This makes it possible for unauthenticated attackers to install recommended plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-02-23 4.3 CVE-2024-1360
security@wordfence.com
security@wordfence.com
extendthemes — colibri_page_builder The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the apiCall() function. This makes it possible for unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-02-23 4.3 CVE-2024-1361
security@wordfence.com
security@wordfence.com
extendthemes — colibri_page_builder The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the cp_shortcode_refresh() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-02-23 4.3 CVE-2024-1362
security@wordfence.com
security@wordfence.com
fortinet — fortiproxy A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, Fortiproxy version 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 allows attacker to denial of service via specially crafted HTTP requests. 2024-02-22 6.5 CVE-2023-29179
psirt@fortinet.com
frederic_gilles — fg_prestashop_to_woocommerce Cross-Site Request Forgery (CSRF) vulnerability in Frederic GILLES FG PrestaShop to WooCommerce, Frederic GILLES FG Drupal to WordPress, Frederic GILLES FG Joomla to WordPress.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.44.3; FG Drupal to WordPress: from n/a through 3.67.0; FG Joomla to WordPress: from n/a through 4.15.0. 2024-02-21 4.3 CVE-2024-24837
audit@patchstack.com
audit@patchstack.com
audit@patchstack.com
garo — wallbox_glb+_t2ev7 A vulnerability, which was classified as problematic, was found in GARO WALLBOX GLB+ T2EV7 0.5. This affects an unknown part of the file /index.jsp#settings of the component Software Update Handler. The manipulation of the argument Reference leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254397 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-21 4.3 CVE-2024-1707
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
gitlab — gitlab An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the ‘group ip restriction’ settings to access environment details of projects 2024-02-22 4.3 CVE-2023-4895
cve@gitlab.com
cve@gitlab.com
gitlab — gitlab An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation. 2024-02-22 6.7 CVE-2023-6477
cve@gitlab.com
cve@gitlab.com
gitlab — gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP. 2024-02-22 5.3 CVE-2024-1525
cve@gitlab.com
gitlab –gitlab
 
An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions. 2024-02-22 4.3 CVE-2024-0861
cve@gitlab.com
cve@gitlab.com
gn_themes — wp_shortcodes_plugin_-_shortcodes_ultimate The WP Shortcodes Plugin – Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s su_tooltip shortcode in all versions up to, and including, 7.0.2 due to insufficient input sanitization and output escaping on user supplied attributes and user supplied tags. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-02-20 6.4 CVE-2024-1510
security@wordfence.com
security@wordfence.com
security@wordfence.com
greenpau — github.com/greenpau/caddy-security All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the “Sign Out” button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user. 2024-02-17 4.8 CVE-2024-21492
report@snyk.io
report@snyk.io
report@snyk.io
greenpau — github.com/greenpau/caddy-security All versions of the package github.com/greenpau/caddy-security are vulnerable to HTTP Header Injection via the X-Forwarded-Proto header due to redirecting to the injected protocol.Exploiting this vulnerability could lead to bypass of security mechanisms or confusion in handling TLS. 2024-02-17 4.3 CVE-2024-21499
report@snyk.io
report@snyk.io
report@snyk.io
greenpau — github.com/greenpau/caddy-security All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process. 2024-02-17 4.8 CVE-2024-21500
report@snyk.io
report@snyk.io
report@snyk.io
greenpau — github.com/greenpau/caddy-security All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server. 2024-02-17 5.3 CVE-2024-21493
report@snyk.io
report@snyk.io
report@snyk.io
greenpau — github.com/greenpau/caddy-security All versions of the package github.com/greenpau/caddy-security are vulnerable to Authentication Bypass by Spoofing via the X-Forwarded-For header due to improper input sanitization. An attacker can spoof an IP address used in the user identity module (/whoami API endpoint). This could lead to unauthorized access if the system trusts this spoofed IP address. 2024-02-17 5.4 CVE-2024-21494
report@snyk.io
report@snyk.io
report@snyk.io
greenpau — github.com/greenpau/caddy-security All versions of the package github.com/greenpau/caddy-security are vulnerable to Open Redirect via the redirect_url parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this vulnerability, the user must take an action, such as clicking on a portal button or using the browser’s back button, to trigger the redirection. 2024-02-17 5.4 CVE-2024-21497
report@snyk.io
report@snyk.io
report@snyk.io
greenpau — github.com/greenpau/caddy-security All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery (SSRF) via X-Forwarded-Host header manipulation. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by exploiting this vulnerability. 2024-02-17 5.3 CVE-2024-21498
report@snyk.io
report@snyk.io
report@snyk.io
humansignal — label-studio ### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability. ### Details Need permission to use the “data import” function. This was reproduced on Label Studio 1.10.1. ### PoC 1. Create a project. ![Create a project](https://github.com/HumanSignal/label-studio/assets/3943358/9b1536ad-feac-4238-a1bd-ca9b1b798673) 2. Upload a file containing the payload using the “Upload Files” function. ![2 Upload a file containing the payload using the Upload Files function](https://github.com/HumanSignal/label-studio/assets/3943358/26bb7af1-1cd2-408f-9adf-61e31a5b7328) ![3 complete](https://github.com/HumanSignal/label-studio/assets/3943358/f2f62774-1fa6-4456-9e6f-8fa1ca0a2d2e) The following are the contents of the files used in the PoC “` { “data”: { “prompt”: “labelstudio universe image”, “images”: [ { “value”: “id123#0”, “style”: “margin: 5px”, “html”: “<img width=’400′ src=’https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif’ onload=alert(document.cookie)>” } ] } } “` 3. Select the text-to-image generation labeling template of Ranking and scoring ![3 Select the text-to-image generation labelling template for Ranking and scoring](https://github.com/HumanSignal/label-studio/assets/3943358/f227f49c-a718-4738-bc2a-807da4f97155) ![5 save](https://github.com/HumanSignal/label-studio/assets/3943358/9b529f8a-8e99-4bb0-bdf6-bb7a95c9b75d) 4. Select a task ![4 Select a task](https://github.com/HumanSignal/label-studio/assets/3943358/71856b7a-2b1f-44ea-99ab-fc48bc20caa7) 5. Check that the script is running ![5 Check that the script is running](https://github.com/HumanSignal/label-studio/assets/3943358/e396ae7b-a591-4db7-afe9-5bab30b48cb9) ### Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering. 2024-02-22 4.7 CVE-2024-26152
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
iberezansky — 3d_flipbook_-_pdf_flipbook_wordpress The 3D FlipBook – PDF Flipbook WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s bookmark feature in all versions up to, and including, 1.15.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-02-21 6.4 CVE-2024-1081
security@wordfence.com
security@wordfence.com
ibm — common_licensing IBM Common Licensing 9.0 could allow a local user to enumerate usernames due to an observable response discrepancy. IBM X-Force ID: 273337. 2024-02-20 4 CVE-2023-50306
psirt@us.ibm.com
psirt@us.ibm.com
ibm — infosphere_information_server IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 256544. 2024-02-21 5.4 CVE-2023-33843
psirt@us.ibm.com
psirt@us.ibm.com
ibm — qradar_suite_software IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 in some circumstances will log some sensitive information about invalid authorization attempts. IBM X-Force ID: 275747. 2024-02-17 4 CVE-2023-50951
psirt@us.ibm.com
psirt@us.ibm.com
ibm — qradar_suite_software IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279975. 2024-02-17 5.1 CVE-2024-22335
psirt@us.ibm.com
psirt@us.ibm.com
ibm — qradar_suite_software IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279976. 2024-02-17 5.1 CVE-2024-22336
psirt@us.ibm.com
psirt@us.ibm.com
ibm — qradar_suite_software IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279977. 2024-02-17 5.1 CVE-2024-22337
psirt@us.ibm.com
psirt@us.ibm.com
jackdewey — link_library The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ll_reciprocal’ parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-02-20 6.5 CVE-2024-1559
security@wordfence.com
security@wordfence.com
janis_elsts — admin_menu_editor Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor.This issue affects Admin Menu Editor: from n/a through 1.12. 2024-02-21 4.3 CVE-2024-24876
audit@patchstack.com
john_tendik — jtrt_responsive_tables Cross-Site Request Forgery (CSRF) vulnerability in John Tendik JTRT Responsive Tables.This issue affects JTRT Responsive Tables: from n/a through 4.1.9. 2024-02-21 4.3 CVE-2024-24802
audit@patchstack.com
jumpserver — jumpserver JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site scripting attacks. Version 3.10.0 contains a patch for this issue. No known workarounds are available. 2024-02-20 4.3 CVE-2024-24763
security-advisories@github.com
security-advisories@github.com
keerti1924 — php-mysql-user-login-system A vulnerability, which was classified as problematic, was found in keerti1924 PHP-MYSQL-User-Login-System 1.0. Affected is an unknown function of the file /signup.php. The manipulation of the argument username with the input <script>alert(“xss”)</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254388. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-21 4.3 CVE-2024-1700
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
keerti1924 — php-mysql-user-login-system A vulnerability was found in keerti1924 PHP-MYSQL-User-Login-System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /edit.php. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-254390 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-21 6.3 CVE-2024-1702
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
keerti1924 — php-mysql-user-login-system A vulnerability has been found in keerti1924 PHP-MYSQL-User-Login-System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /edit.php. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254389 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-21 5.3 CVE-2024-1701
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
laborofficefree — laborofficefree A weak permission was found in the backup directory in LaborOfficeFree affecting version 19.10. This vulnerability allows any authenticated user to read backup files in the directory ‘%programfiles(x86)% LaborOfficeFree BackUp’. 2024-02-19 4.7 CVE-2024-1343
cve-coordination@incibe.es
laborofficefree_ — laborofficefree_ Encrypted database credentials in LaborOfficeFree affecting version 19.10. This vulnerability allows an attacker to read and extract the username and password from the database of ‘LOF_service.exe’ and ‘LaborOfficeFree.exe’ located in the ‘%programfiles(x86)%LaborOfficeFree’ directory. This user can log in remotely and has root-like privileges. 2024-02-19 6.8 CVE-2024-1344
cve-coordination@incibe.es
laborofficefree_ — laborofficefree_ Weak MySQL database root password in LaborOfficeFree affects version 19.10. This vulnerability allows an attacker to perform a brute force attack and easily discover the root password. 2024-02-19 6.8 CVE-2024-1345
cve-coordination@incibe.es
laborofficefree_ — laborofficefree_ Weak MySQL database root password in LaborOfficeFree affects version 19.10. This vulnerability allows an attacker to calculate the root password of the MySQL database used by LaborOfficeFree using two constants. 2024-02-19 6.8 CVE-2024-1346
cve-coordination@incibe.es
liferay — dxp Open redirect vulnerability in adaptive media administration page in Liferay DXP 2023.Q3 before patch 6, and 7.4 GA through update 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_adaptive_media_web_portlet_AMPortlet_redirect parameter. 2024-02-20 6.1 CVE-2023-44308
security@liferay.com
liferay — portal Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user’s full name from the page’s title by enumerating user screen names. 2024-02-20 4.3 CVE-2024-25150
security@liferay.com
liferay — portal Open redirect vulnerability in the Countries Management’s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_address_web_internal_portlet_CountriesManagementAdminPortlet_redirect parameter. 2024-02-20 6.1 CVE-2023-5190
security@liferay.com
liferay — portal Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel. 2024-02-20 6.5 CVE-2024-25604
security@liferay.com
liferay — portal HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the ‘REPLACEMENT CHARACTER’ (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) ‘redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect. 2024-02-20 6.1 CVE-2024-25608
security@liferay.com
liferay — portal HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) ‘redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. This vulnerability is the result of an incomplete fix in CVE-2022-28977. 2024-02-20 6.1 CVE-2024-25609
security@liferay.com
liferay — portal The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user’s hashed password. 2024-02-20 6.5 CVE-2024-26270
security@liferay.com
liferay — portal Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the “Limit membership to members of the parent site” option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site. 2024-02-20 5.4 CVE-2024-25149
security@liferay.com
liferay — portal The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system’s temp folder by modifying the `maxFileSize` parameter. 2024-02-20 5 CVE-2024-26265
security@liferay.com
liferay — portal_ In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via ‘Liferay-Portal` response header. 2024-02-20 5.3 CVE-2024-26267
security@liferay.com
liferay — portal User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request’s response time. 2024-02-20 5.3 CVE-2024-26268
security@liferay.com
liferay — portal The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user’s name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver’s mail client. 2024-02-21 5.4 CVE-2024-25151
security@liferay.com
liferay — portal The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API. 2024-02-20 5.3 CVE-2024-25605
security@liferay.com
mark_stockton — quicksand_post_filter_jquery_plugin Cross-Site Request Forgery (CSRF) vulnerability in Mark Stockton Quicksand Post Filter jQuery Plugin. This issue affects Quicksand Post Filter jQuery Plugin: from n/a through 3.1.1. 2024-02-21 4.3 CVE-2024-24849
audit@patchstack.com
microsoft — microsoft_edge Microsoft Edge (Chromium-based) Information Disclosure Vulnerability 2024-02-23 4.8 CVE-2024-21423
secure@microsoft.com
microsoft — microsoft_edge_for_adroid Microsoft Edge (Chromium-based) Spoofing Vulnerability 2024-02-23 4.3 CVE-2024-26188
secure@microsoft.com
mondula_gmbh — multi_step_form Cross-Site Request Forgery (CSRF) vulnerability in Mondula GmbH Multi Step Form.This issue affects Multi Step Form: from n/a through 1.7.18. 2024-02-21 5.4 CVE-2024-25905
audit@patchstack.com
moodle — moodle Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers. 2024-02-19 4.3 CVE-2024-25980
patrick@puiterwijk.org
patrick@puiterwijk.org
patrick@puiterwijk.org
moodle — moodle Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers. 2024-02-19 4.3 CVE-2024-25981
patrick@puiterwijk.org
patrick@puiterwijk.org
patrick@puiterwijk.org
moodle — moodle The link to update all installed language packs did not include the necessary token to prevent a CSRF risk. 2024-02-19 4.3 CVE-2024-25982
patrick@puiterwijk.org
patrick@puiterwijk.org
patrick@puiterwijk.org
moodle — moodle The URL parameters accepted by forum search were not limited to the allowed parameters. 2024-02-19 5.3 CVE-2024-25979
patrick@puiterwijk.org
patrick@puiterwijk.org
patrick@puiterwijk.org
netapp — snapcenter SnapCenter versions 4.8 prior to 5.0 are susceptible to a vulnerability which could allow an authenticated SnapCenter Server user to modify system logging configuration settings 2024-02-16 5.4 CVE-2024-21987
security-alert@netapp.com
netapp — storagegrid StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 are susceptible to a difficult to exploit Reflected Cross-Site Scripting (XSS) vulnerability. Successful exploit requires the attacker to know specific information about the target instance and trick a privileged user into clicking a specially crafted link. This could allow the attacker to view or modify configuration settings or add or modify user accounts. 2024-02-16 5.9 CVE-2024-21984
security-alert@netapp.com
onnx — onnx Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNX_ASSERT and ONNX_ASSERTM functions have an off by one string copy. 2024-02-23 4.4 CVE-2024-27319
6f8de1f0-f67e-45a6-b68f-98777fdb759c
oracle_corporation — bi_publisher_(formerly_xml_publisher) Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 6.4.0.0.0 and 7.0.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2024-02-17 5.4 CVE-2024-20980
secalert_us@oracle.com
oracle_corporation — business_intelligence_enterprise_edition Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: BI Platform Security). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2024-02-17 5.4 CVE-2024-20913
secalert_us@oracle.com
oracle_corporation — common_applications Vulnerability in the Oracle Common Applications product of Oracle E-Business Suite (component: CRM User Management Framework). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Common Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Common Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Common Applications accessible data as well as unauthorized read access to a subset of Oracle Common Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2024-02-17 5.4 CVE-2024-20947
secalert_us@oracle.com
oracle_corporation — crm_technical_foundation Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Admin Console). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle CRM Technical Foundation. CVSS 3.1 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). 2024-02-17 4.3 CVE-2024-20939
secalert_us@oracle.com
oracle_corporation — installed_base Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: Engineering Change Order). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data as well as unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2024-02-17 5.4 CVE-2024-20958
secalert_us@oracle.com
oracle_corporation — java_se_jdk_and_jre Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N). 2024-02-17 4.7 CVE-2024-20945
secalert_us@oracle.com
oracle_corporation — java_se_jdk_and_jre Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). 2024-02-17 5.9 CVE-2024-20919
secalert_us@oracle.com
oracle_corporation — java_se_jdk_and_jre Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). 2024-02-17 5.9 CVE-2024-20921
secalert_us@oracle.com
oracle_corporation — jd_edwards_enterpriseone_tools Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are affected are Prior to 9.2.8.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 2024-02-17 4.3 CVE-2024-20937
secalert_us@oracle.com
oracle_corporation — knowledge_management Vulnerability in the Oracle Knowledge Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Knowledge Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Knowledge Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Knowledge Management accessible data as well as unauthorized read access to a subset of Oracle Knowledge Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2024-02-17 5.4 CVE-2024-20943
secalert_us@oracle.com
oracle_corporation — myqsl_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 5.3 CVE-2024-20964
secalert_us@oracle.com
oracle_corporation — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 4.9 CVE-2024-20966
secalert_us@oracle.com
oracle_corporation — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 4.4 CVE-2024-20968
secalert_us@oracle.com
oracle_corporation — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 4.9 CVE-2024-20970
secalert_us@oracle.com
oracle_corporation — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 4.9 CVE-2024-20972
secalert_us@oracle.com
oracle_corporation — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 4.9 CVE-2024-20974
secalert_us@oracle.com
oracle_corporation — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 4.9 CVE-2024-20976
secalert_us@oracle.com
oracle_corporation — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 4.9 CVE-2024-20978
secalert_us@oracle.com
oracle_corporation — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 4.9 CVE-2024-20982
secalert_us@oracle.com
oracle_corporation — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server : Security : Firewall). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 2024-02-17 4.4 CVE-2024-20984
secalert_us@oracle.com
oracle_corporation — sun_zfs_storage_appliance_kit_(ak)_software Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Object Store). The supported version that is affected is 8.8. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 2024-02-17 4.3 CVE-2023-21833
secalert_us@oracle.com
oracle_corporation — application_object_library Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Login – SSO). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Application Object Library. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 2024-02-17 5.3 CVE-2024-20915
secalert_us@oracle.com
pinterest — querybook Querybook is a user interface for querying big data. Prior to version 3.31.1, there is a vulnerability in Querybook’s rich text editor that enables users to input arbitrary URLs without undergoing necessary validation. This particular security flaw allows the use of `javascript:` protocol which can potentially trigger arbitrary client-side execution. The most extreme exploit of this flaw could occur when an admin user unknowingly clicks on a cross-site scripting URL, thereby unintentionally compromising admin role access to the attacker. A patch to rectify this issue has been introduced in Querybook version `3.31.1`. The fix is backward compatible and automatically fixes existing DataDocs. There are no known workarounds for this issue, except for manually checking each URL prior to clicking on them. 2024-02-21 6.1 CVE-2024-26148
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
presstigers — simple_job_board The Simple Job Board plugin for WordPress is vulnerable to unauthorized access of data| due to insufficient authorization checking on the fetch_quick_job() function in all versions up to, and including, 2.10.8. This makes it possible for unauthenticated attackers to fetch arbitrary posts, which can be password protected or private and contain sensitive information. 2024-02-21 5.3 CVE-2024-0593
security@wordfence.com
security@wordfence.com
prestashop — prestashop PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4. 2024-02-19 5.8 CVE-2024-26129
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
raaj_trambadia — pexels:_free_stock_photos Server-Side Request Forgery (SSRF) vulnerability in Raaj Trambadia Pexels: Free Stock Photos.This issue affects Pexels: Free Stock Photos: from n/a through 1.2.2. 2024-02-23 4.9 CVE-2024-25915
audit@patchstack.com
redhat — openshift A flaw was found in OpenShift. The existing Cross-Site Request Forgery (CSRF) protections in place do not properly protect GET requests, allowing for the creation of WebSockets via CSRF. 2024-02-16 5.4 CVE-2024-1342
secalert@redhat.com
secalert@redhat.com
shopwind — shopwind A vulnerability was found in Shopwind up to 4.6. It has been rated as critical. This issue affects the function actionCreate of the file /public/install/controllers/DefaultController.php of the component Installation. The manipulation leads to code injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-254393 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-21 5.6 CVE-2024-1705
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
silabs.com — ember_znet_sdk Ember ZNet between v7.2.0 and v7.4.0 used software AES-CCM instead of integrated hardware cryptographic accelerators, potentially increasing risk of electromagnetic and differential power analysis sidechannel attacks. 2024-02-23 6.2 CVE-2023-51392
product-security@silabs.com
silabs.com — ember_znet_sdk Due to an allocation of resources without limits, an uncontrolled resource consumption vulnerability exists in Silicon Labs Ember ZNet SDK prior to v7.4.0.0 (delivered as part of Silicon Labs Gecko SDK v4.4.0) which may enable attackers to trigger a bus fault and crash of the device, requiring a reboot in order to rejoin the network. 2024-02-23 5.3 CVE-2023-51393
product-security@silabs.com
silabs.com — ember_znet_sdk High traffic environments may result in NULL Pointer Dereference vulnerability in Silicon Labs’s Ember ZNet SDK before v7.4.0, causing a system crash. 2024-02-23 5.3 CVE-2023-51394
product-security@silabs.com
silabs.com — gsdk TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. This defect may allow Signature Spoofing by Key Recreation.This issue affects Gecko SDK through v4.4.0. 2024-02-21 6.8 CVE-2024-22473
product-security@silabs.com
silabs.com — pc_controller Malformed Device Reset Locally Command Class packets can be sent to the controller, causing the controller to assume the end device has left the network. After this, frames sent by the end device will not be acknowledged by the controller. This vulnerability exists in PC Controller v5.54.0, and earlier. 2024-02-21 6.5 CVE-2023-6533
product-security@silabs.com
silabs.com — pc_controller Malformed S2 Nonce Get Command Class packets can be sent to crash PC Controller v5.54.0 and earlier. 2024-02-21 6.5 CVE-2023-6640
product-security@silabs.com
silicon_labs — gecko_platform A denial of service vulnerability exists in the ICMP and ICMPv6 parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted network packet can lead to an out-of-bounds read. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability concerns a denial of service within the parsing an IPv4 ICMP packet. 2024-02-20 5.9 CVE-2023-39540
talos-cna@cisco.com
silicon_labs — gecko_platform A denial of service vulnerability exists in the ICMP and ICMPv6 parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted network packet can lead to an out-of-bounds read. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability concerns a denial of service within the parsing an IPv6 ICMPv6 packet. 2024-02-20 5.9 CVE-2023-39541
talos-cna@cisco.com
smub — user_feedback_create_interactive_feedback_form,_user_surveys,_and_polls_in_seconds The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_submitted’ ‘link’ value in all versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the feedback submission page that will execute when a user clicks the link, while also pressing the command key. 2024-02-22 5.4 CVE-2024-0903
security@wordfence.com
security@wordfence.com
softaculous — page_builder:_pagelayer_drag_and_drop_website_builder The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Button Widget in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-02-23 4.6 CVE-2024-1590
security@wordfence.com
security@wordfence.com
sonicwall — sma100 Improper access control vulnerability has been identified in the SMA100 SSL-VPN virtual office portal, which in specific conditions could potentially enable a remote authenticated attacker to associate another user’s MFA mobile application. 2024-02-24 6.3 CVE-2024-22395
PSIRT@sonicwall.com
soninow_team — dugbug Cross-Site Request Forgery (CSRF) vulnerability in SoniNow Team Debug.This issue affects Debug: from n/a through 1.10. 2024-02-21 4.3 CVE-2024-24798
audit@patchstack.com
temmoki_mvc — tommoku_mvc A vulnerability, which was classified as critical, was found in TemmokuMVC up to 2.3. Affected is the function get_img_url/img_replace in the library lib/images_get_down.php of the component Image Download Handler. The manipulation leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254532. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-22 5.6 CVE-2024-1750
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
theeventscalendar — event_tickets_and_registration The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ’email’ action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves. 2024-02-22 4.3 CVE-2024-1053
security@wordfence.com
security@wordfence.com
themify — themify_builder Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Builder.This issue affects Themify Builder: from n/a through 7.0.5. 2024-02-21 4.3 CVE-2024-24872
audit@patchstack.com
totolink — x6000r_ax3000 A vulnerability was found in Totolink X6000R AX3000 9.4.0cu.852_20230719. It has been rated as critical. This issue affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation leads to command injection. The exploit has been disclosed to the public and may be used. The identifier VDB-254573 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-23 6.3 CVE-2024-1781
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
van_der_schaar_lab — autoprognosis A vulnerability classified as critical was found in van_der_Schaar LAB AutoPrognosis 0.1.21. This vulnerability affects the function load_model_from_file of the component Release Note Handler. The manipulation leads to deserialization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-254530 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-22 5 CVE-2024-1748
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
videolan — dav1d An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d. 2024-02-19 5.9 CVE-2024-1580
cve-coordination@google.com
cve-coordination@google.com
vmware — aria_operations VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to ‘root’. 2024-02-21 6.7 CVE-2024-22235
security@vmware.com
webfactory — databasereset The Database Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.22. This is due to missing or incorrect nonce validation on the install_wpr() function. This makes it possible for unauthenticated attackers to install the WP Reset Plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-02-21 4.7 CVE-2024-1501
security@wordfence.com
security@wordfence.com
security@wordfence.com
westerndeal — woocommerce_google_sheet_connector The WooCommerce Google Sheet Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the execute_post_data function in all versions up to, and including, 1.3.11. This makes it possible for unauthenticated attackers to update plugin settings. 2024-02-21 5.3 CVE-2024-1562
security@wordfence.com
security@wordfence.com
wolfssl — wolfssl In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging). 2024-02-20 5.3 CVE-2023-6936
facts@wolfssl.com
facts@wolfssl.com
xwikisas — application-licensing The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance’s id as well as first and last name and email of the license owner. This is a leak of information that isn’t supposed to be public. The instance id allows associating data on the active installs data with the concrete XWiki instance. Active installs assures that “there’s no way to find who’s having a given UUID” (referring to the instance id). Further, the information who the license owner is and information about the obtained licenses can be used for targeted phishing attacks. Also, while user information is normally public, email addresses might only be displayed obfuscated, depending on the configuration. This has been fixed in Application Licensing 1.24.2. There are no known workarounds besides upgrading. 2024-02-21 5.3 CVE-2024-26138
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
yetanalytics — lrs com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist. 2024-02-20 4.6 CVE-2024-26140
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
zephyrproject-rtos — zephyr can: out of bounds in remove_rx_filter function 2024-02-18 4.4 CVE-2023-5779
vulnerabilities@zephyrproject.org
zestardtechnologies — admin_side_data_storage_for_contact_form_7 The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the settings update function. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2024-02-23 4.3 CVE-2024-1777
security@wordfence.com
security@wordfence.com
zestardtechnologies — admin_side_data_storage_for_contact_form_7 The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_bookmark() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter bookmark statuses. 2024-02-23 4.3 CVE-2024-1778
security@wordfence.com
security@wordfence.com
zestardtechnologies — admin_side_data_storage_for_contact_form_7 The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_status() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter the message read status of messages. 2024-02-23 5.3 CVE-2024-1779
security@wordfence.com
security@wordfence.com
zhongbangkeji — crmeb A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been declared as critical. This vulnerability affects the function save/delete of the file /adminapi/system/crud. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254392. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-21 5.5 CVE-2024-1704
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
zyxel — atp_series_firmware A null pointer dereference vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1 and USG FLEX series firmware versions from 4.50 through 5.37 Patch 1 could allow a LAN-based attacker to cause denial-of-service (DoS) conditions by downloading a crafted RAR compressed file onto a LAN-side host if the firewall has the “Anti-Malware” feature enabled. 2024-02-20 6.5 CVE-2023-6397
security@zyxel.com.tw
zyxel — atp_series_firmware A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, and USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the “deviceid” daemon by sending a crafted hostname to an affected device if it has the “Device Insight” feature enabled. 2024-02-20 5.7 CVE-2023-6399
security@zyxel.com.tw

Back to top
 

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
ZhongBangKeJi — cremeb A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254391. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-21 3.5 CVE-2024-1703
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
ZhongBangKeJi — cremeb A vulnerability, which was classified as problematic, has been found in ZKTeco ZKBio Access IVS up to 3.3.2. Affected by this issue is some unknown functionality of the component Department Name Search Bar. The manipulation with the input <marquee>hi leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254396. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-21 3.5 CVE-2024-1706
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
alfio-event — alf.io Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability. 2024-02-16 3.5 CVE-2024-25627
security-advisories@github.com
bdtask — bhojon_best_restaurant_management_software A vulnerability, which was classified as problematic, has been found in Bdtask Bhojon Best Restaurant Management Software 2.9. This issue affects some unknown processing of the file /dashboard/message of the component Message Page. The manipulation of the argument Title leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254531. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-22 2.4 CVE-2024-1749
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
beyondtrust — privilege_management_for_windows Prior to version 24.1, a local authenticated attacker can view Sysvol when Privilege Management for Windows is configured to use a GPO policy. This allows them to view the policy and potentially find configuration issues. 2024-02-16 3.3 CVE-2024-1591
13061848-ea10-403d-bd75-c83a022c2891
github — codeql-cli-binaries The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to an URL that contains material read from a local file chosen by the attacker. This may result in a loss of privacy of exfiltration of secrets. Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted. A single untrusted `.ql` or `.qll` file cannot be affected, but a zip archive or tarball containing QL sources may unpack auxiliary files that will trigger an attack when CodeQL sees them in the file system. Those using CodeQL for routine analysis of source trees with a preselected set of trusted queries are not affected. In particular, extracting XML files from a source tree into the CodeQL database does not make one vulnerable. The problem is fixed in release 2.16.3 of the CodeQL CLI. Other than upgrading, workarounds include not accepting CodeQL databases or queries from untrusted sources, or only processing such material on a machine without an Internet connection. Customers who use older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons can continue using that version. That use case is safe. If such customers have a private query pack and use the `codeql pack create` command to precompile them before using them in the CI system, they should be using the production CodeQL release to run `codeql pack create`. That command is safe as long as the QL source it precompiled is trusted. All other development of the query pack should use an upgraded CLI. 2024-02-22 2.7 CVE-2024-25129
security-advisories@github.com
security-advisories@github.com
security-advisories@github.com
gitlab — gitlab An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group. 2024-02-21 3.7 CVE-2023-3509
cve@gitlab.com
cve@gitlab.com
hcl_software — hcl_sametime_chat Sametime Connect desktop chat client includes, but does not use or require, the use of an Eclipse feature called Secure Storage. Using this Eclipse feature to store sensitive data can lead to exposure of that data. 2024-02-23 3.9 CVE-2023-37540
psirt@hcl.com
ibm — infosphere_information_server IBM InfoSphere Information Server 11.7 could allow an authenticated privileged user to obtain the absolute path of the web server installation which could aid in further attacks against the system. IBM X-Force ID: 275777. 2024-02-21 2.4 CVE-2023-50955
psirt@us.ibm.com
psirt@us.ibm.com
ibm — trusteer_ios_sdk An undisclosed issue in Trusteer iOS SDK for mobile versions prior to 5.7 and Trusteer Android SDK for mobile versions prior to 5.7 may allow uploading of files. IBM X-Force ID: 238535. 2024-02-17 2.2 CVE-2022-42443
psirt@us.ibm.com
psirt@us.ibm.com
lenovo — thinksystem_sr670_v2 ThinkSystem SR670V2 servers manufactured from approximately June 2021 to July 2023 were left in Manufacturing Mode which could allow an attacker with privileged logical access to the host or physical access to server internals to modify or disable Intel Boot Guard firmware integrity, SPS security, and other SPS configuration setting. The server’s NIST SP 800-193-compliant Platform Firmware Resiliency (PFR) security subsystem significantly mitigates this issue. 2024-02-16 2 CVE-2024-23591
psirt@lenovo.com
linux — linux A vulnerability classified as problematic was found in Limbas 5.2.14. Affected by this vulnerability is an unknown functionality of the file main_admin.php. The manipulation of the argument tab_group leads to sql injection. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254575. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-23 3.9 CVE-2024-1784
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
moodle — moodle Insufficient checks in a web service made it possible to add comments to the comments block on another user’s dashboard when it was not otherwise available (e.g., on their profile page). 2024-02-19 3.5 CVE-2024-25983
patrick@puiterwijk.org
patrick@puiterwijk.org
patrick@puiterwijk.org
nodejs — undici Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. 2024-02-16 3.9 CVE-2024-24758
security-advisories@github.com
security-advisories@github.com
oracle_corporation — audit_vault_and_database_firewall Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Supported versions that are affected are 20.1-20.9. Difficult to exploit vulnerability allows high privileged attacker with network access via Oracle Net to compromise Oracle Audit Vault and Database Firewall. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Audit Vault and Database Firewall, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Audit Vault and Database Firewall accessible data. CVSS 3.1 Base Score 2.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N). 2024-02-17 2.6 CVE-2024-20911
secalert_us@oracle.com
oracle_corporation — java_se_jdk_and_jre Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). 2024-02-17 3.1 CVE-2024-20923
secalert_us@oracle.com
oracle_corporation — java_se_jdk_and_jre Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). 2024-02-17 3.1 CVE-2024-20925
secalert_us@oracle.com
oracle_corporation — jd_edwards_enterpriseone_tools Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure SEC). Supported versions that are affected are Prior to 9.2.8.0. Easily exploitable vulnerability allows high privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). 2024-02-17 2.7 CVE-2024-20905
secalert_us@oracle.com
phpgurukul — tourism_management_system A vulnerability classified as problematic has been found in PHPGurukul Tourism Management System 1.0. Affected is an unknown function of the file user-bookings.php. The manipulation of the argument Full Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-254610 is the identifier assigned to this vulnerability. 2024-02-23 2.4 CVE-2024-1822
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
renesas — rcar_gen3_v2.5 During the secure boot, bl2 (the second stage of the bootloader) loops over images defined in the table “bl2_mem_params_descs”. For each image, the bl2 reads the image length and destination from the image’s certificate. Because of the way of reading from the image, which base on 32-bit unsigned integer value, it can result to an integer overflow. An attacker can bypass memory range restriction and write data out of buffer bounds, which could result in bypass of secure boot. Affected git version from c2f286820471ed276c57e603762bd831873e5a17 2024-02-19 2 CVE-2024-1633
cve@asrg.io
sourcecodester — simple_student_attendance_system A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. It has been classified as problematic. This affects an unknown part of the file ?page=attendance&class_id=1. The manipulation of the argument class_date with the input 2024-02-23%22%3E%3Cscript%3Ealert(1)%3C/script%3E leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254625 was assigned to this vulnerability. 2024-02-23 3.5 CVE-2024-1834
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com
totolink — x6000r
 
A vulnerability classified as problematic was found in Totolink X6000R 9.4.0cu.852_B20230719. Affected by this vulnerability is an unknown functionality of the file /etc/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254179. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2024-02-20 2.5 CVE-2024-1661
cna@vuldb.com
cna@vuldb.com
cna@vuldb.com

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
linux — linux In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a race condition between btf_put() and map_free() When running `./test_progs -j` in my local vm with latest kernel, I once hit a kasan error like below: [ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8/0x2b0 [ 1887.185599] Read of size 4 at addr ffff888106806910 by task kworker/u12:2/2830 [ 1887.186498] [ 1887.186712] CPU: 3 PID: 2830 Comm: kworker/u12:2 Tainted: G OEL 6.7.0-rc3-00699-g90679706d486-dirty #494 [ 1887.188034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1887.189618] Workqueue: events_unbound bpf_map_free_deferred [ 1887.190341] Call Trace: [ 1887.190666] <TASK> [ 1887.190949] dump_stack_lvl+0xac/0xe0 [ 1887.191423] ? nf_tcp_handle_invalid+0x1b0/0x1b0 [ 1887.192019] ? panic+0x3c0/0x3c0 [ 1887.192449] print_report+0x14f/0x720 [ 1887.192930] ? preempt_count_sub+0x1c/0xd0 [ 1887.193459] ? __virt_addr_valid+0xac/0x120 [ 1887.194004] ? bpf_rb_root_free+0x1f8/0x2b0 [ 1887.194572] kasan_report+0xc3/0x100 [ 1887.195085] ? bpf_rb_root_free+0x1f8/0x2b0 [ 1887.195668] bpf_rb_root_free+0x1f8/0x2b0 [ 1887.196183] ? __bpf_obj_drop_impl+0xb0/0xb0 [ 1887.196736] ? preempt_count_sub+0x1c/0xd0 [ 1887.197270] ? preempt_count_sub+0x1c/0xd0 [ 1887.197802] ? _raw_spin_unlock+0x1f/0x40 [ 1887.198319] bpf_obj_free_fields+0x1d4/0x260 [ 1887.198883] array_map_free+0x1a3/0x260 [ 1887.199380] bpf_map_free_deferred+0x7b/0xe0 [ 1887.199943] process_scheduled_works+0x3a2/0x6c0 [ 1887.200549] worker_thread+0x633/0x890 [ 1887.201047] ? __kthread_parkme+0xd7/0xf0 [ 1887.201574] ? kthread+0x102/0x1d0 [ 1887.202020] kthread+0x1ab/0x1d0 [ 1887.202447] ? pr_cont_work+0x270/0x270 [ 1887.202954] ? kthread_blkcg+0x50/0x50 [ 1887.203444] ret_from_fork+0x34/0x50 [ 1887.203914] ? kthread_blkcg+0x50/0x50 [ 1887.204397] ret_from_fork_asm+0x11/0x20 [ 1887.204913] </TASK> [ 1887.204913] </TASK> [ 1887.205209] [ 1887.205416] Allocated by task 2197: [ 1887.205881] kasan_set_track+0x3f/0x60 [ 1887.206366] __kasan_kmalloc+0x6e/0x80 [ 1887.206856] __kmalloc+0xac/0x1a0 [ 1887.207293] btf_parse_fields+0xa15/0x1480 [ 1887.207836] btf_parse_struct_metas+0x566/0x670 [ 1887.208387] btf_new_fd+0x294/0x4d0 [ 1887.208851] __sys_bpf+0x4ba/0x600 [ 1887.209292] __x64_sys_bpf+0x41/0x50 [ 1887.209762] do_syscall_64+0x4c/0xf0 [ 1887.210222] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 1887.210868] [ 1887.211074] Freed by task 36: [ 1887.211460] kasan_set_track+0x3f/0x60 [ 1887.211951] kasan_save_free_info+0x28/0x40 [ 1887.212485] ____kasan_slab_free+0x101/0x180 [ 1887.213027] __kmem_cache_free+0xe4/0x210 [ 1887.213514] btf_free+0x5b/0x130 [ 1887.213918] rcu_core+0x638/0xcc0 [ 1887.214347] __do_softirq+0x114/0x37e The error happens at bpf_rb_root_free+0x1f8/0x2b0: 00000000000034c0 <bpf_rb_root_free>: ; { 34c0: f3 0f 1e fa endbr64 34c4: e8 00 00 00 00 callq 0x34c9 <bpf_rb_root_free+0x9> 34c9: 55 pushq %rbp 34ca: 48 89 e5 movq %rsp, %rbp … ; if (rec && rec->refcount_off >= 0 && 36aa: 4d 85 ed testq %r13, %r13 36ad: 74 a9 je 0x3658 <bpf_rb_root_free+0x198> 36af: 49 8d 7d 10 leaq 0x10(%r13), %rdi 36b3: e8 00 00 00 00 callq 0x36b8 <bpf_rb_root_free+0x1f8> <==== kasan function 36b8: 45 8b 7d 10 movl 0x10(%r13), %r15d <==== use-after-free load 36bc: 45 85 ff testl %r15d, %r15d 36bf: 78 8c js 0x364d <bpf_rb_root_free+0x18d> So the problem —truncated— 2024-02-22 not yet calculated CVE-2023-52446
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
12d_synergy — 12d_synergy_server,12d_file_replication_server An unquoted service path vulnerability in the 12d Synergy Server and File Replication Server components may allow an attacker to gain elevated privileges via the 12d Synergy Server and/or 12d Synergy File Replication Server executable service path. This is fixed in 4.3.10.192, 5.1.5.221, and 5.1.6.235. 2024-02-19 not yet calculated CVE-2024-24722
cve@mitre.org
cve@mitre.org
cve@mitre.org
alanclarke — urlite An issue in alanclarke URLite v.3.1.0 allows an attacker to cause a denial of service (DoS) via a crafted payload to the parsing function. 2024-02-16 not yet calculated CVE-2023-51931
cve@mitre.org
cve@mitre.org
apache_software_foundation — apache_airflow_mongo_provider When ssl was enabled for Mongo Hook, default settings included “allow_insecure” which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue. 2024-02-20 not yet calculated CVE-2024-25141
security@apache.org
security@apache.org
security@apache.org
apache_software_foundation — apache_answer Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content. Users are recommended to upgrade to version [1.2.5], which fixes the issue. 2024-02-22 not yet calculated CVE-2024-22393
security@apache.org
security@apache.org
apache_software_foundation — apache_answer Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack. Users are recommended to upgrade to version [1.2.5], which fixes the issue. 2024-02-22 not yet calculated CVE-2024-23349
security@apache.org
security@apache.org
apache_software_foundation — apache_answer Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Repeated submission during registration resulted in the registration of the same user. When users register, if they rapidly submit multiple registrations using scripts, it can result in the creation of multiple user accounts simultaneously with the same name. Users are recommended to upgrade to version [1.2.5], which fixes the issue. 2024-02-22 not yet calculated CVE-2024-26578
security@apache.org
security@apache.org
apache_software_foundation — apache_camel Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1 2024-02-20 not yet calculated CVE-2024-22369
security@apache.org
apache_software_foundation — apache_camel Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1 2024-02-20 not yet calculated CVE-2024-23114
security@apache.org
apache_software_foundation — apache_dolphinscheduler Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. 2024-02-20 not yet calculated CVE-2023-49109
security@apache.org
security@apache.org
security@apache.org
security@apache.org
apache_software_foundation — apache_dolphinscheduler Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to version 3.2.1, which fixes the issue. 2024-02-20 not yet calculated CVE-2023-49250
security@apache.org
security@apache.org
security@apache.org
apache_software_foundation — apache_dolphinscheduler Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. 2024-02-20 not yet calculated CVE-2023-50270
security@apache.org
security@apache.org
security@apache.org
security@apache.org
apache_software_foundation — apache_dolphinscheduler Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. 2024-02-20 not yet calculated CVE-2023-51770
security@apache.org
security@apache.org
security@apache.org
security@apache.org
apache_software_foundation — apache_dolphinscheduler Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. This issue is a legacy of CVE-2023-49299. We didn’t fix it completely in CVE-2023-49299, and we added one more patch to fix it. This issue affects Apache DolphinScheduler: until 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. 2024-02-23 not yet calculated CVE-2024-23320
security@apache.org
security@apache.org
security@apache.org
security@apache.org
security@apache.org
apple — ios_and_ipados The issue was resolved by sanitizing logging This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, tvOS 17.1, macOS Monterey 12.7.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data. 2024-02-21 not yet calculated CVE-2023-42823
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — ios_and_ipados An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, Safari 17.1, macOS Sonoma 14.1. Visiting a malicious website may lead to address bar spoofing. 2024-02-21 not yet calculated CVE-2023-42843
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — ios_and_ipados The issue was addressed with improved bounds checks. This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, tvOS 17.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.1. Processing a maliciously crafted image may lead to heap corruption. 2024-02-21 not yet calculated CVE-2023-42848
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — ios_and_ipados This issue was addressed with improved state management. This issue is fixed in iOS 17.1 and iPadOS 17.1. An attacker with physical access may be able to silently persist an Apple ID on an erased device. 2024-02-21 not yet calculated CVE-2023-42855
product-security@apple.com
apple — ios_and_ipados The issue was addressed with improved bounds checks. This issue is fixed in macOS Sonoma 14.1, tvOS 17.1, macOS Monterey 12.7.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.1. An app may be able to execute arbitrary code with kernel privileges. 2024-02-21 not yet calculated CVE-2023-42873
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — ios_and_ipados The issue was addressed with improved bounds checks. This issue is fixed in iOS 17.1 and iPadOS 17.1. An app may be able to gain elevated privileges. 2024-02-21 not yet calculated CVE-2023-42928
product-security@apple.com
apple — ios_and_ipados A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1. A user’s private browsing activity may be unexpectedly saved in the App Privacy Report. 2024-02-21 not yet calculated CVE-2023-42939
product-security@apple.com
apple — ios_and_ipados This issue was addressed with improved handling of symlinks. This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, tvOS 17.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.1. A malicious app may be able to gain root privileges. 2024-02-21 not yet calculated CVE-2023-42942
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — ios_and_ipados The issue was addressed with improved handling of caches. This issue is fixed in iOS 17.1 and iPadOS 17.1. A user may be unable to delete browsing history items. 2024-02-21 not yet calculated CVE-2023-42951
product-security@apple.com
apple — macos A privacy issue was addressed with improved handling of files. This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, macOS Monterey 12.7.2, macOS Ventura 13.6.3, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data. 2024-02-21 not yet calculated CVE-2023-42834
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1. An attacker may be able to access user data. 2024-02-21 not yet calculated CVE-2023-42835
product-security@apple.com
apple — macos A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.3, macOS Sonoma 14.1, macOS Monterey 12.7.2. An attacker may be able to access connected network volumes mounted in the home directory. 2024-02-21 not yet calculated CVE-2023-42836
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos An access issue was addressed with improvements to the sandbox. This issue is fixed in macOS Ventura 13.6.3, macOS Sonoma 14.1, macOS Monterey 12.7.2. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges. 2024-02-21 not yet calculated CVE-2023-42838
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data. 2024-02-21 not yet calculated CVE-2023-42840
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data. 2024-02-21 not yet calculated CVE-2023-42853
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data. 2024-02-21 not yet calculated CVE-2023-42858
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to modify protected parts of the file system. 2024-02-21 not yet calculated CVE-2023-42859
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to modify protected parts of the file system. 2024-02-21 not yet calculated CVE-2023-42860
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to modify protected parts of the file system. 2024-02-21 not yet calculated CVE-2023-42877
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data. 2024-02-21 not yet calculated CVE-2023-42878
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to bypass certain Privacy preferences. 2024-02-21 not yet calculated CVE-2023-42889
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — macos A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.1. An app may gain unauthorized access to Bluetooth. 2024-02-21 not yet calculated CVE-2023-42945
product-security@apple.com
apple — macos The issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.3, macOS Sonoma 14.1, macOS Monterey 12.7.1. An app with root privileges may be able to access private information. 2024-02-21 not yet calculated CVE-2023-42952
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — tvos This issue was addressed with improved state management. This issue is fixed in tvOS 17.1, watchOS 10.1, macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data. 2024-02-21 not yet calculated CVE-2023-42839
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — tvos This issue was addressed with improved redaction of sensitive information. This issue is fixed in tvOS 17.1, watchOS 10.1, macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to leak sensitive user information. 2024-02-21 not yet calculated CVE-2023-42946
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
apple — tvos A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 17.1, watchOS 10.1, macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data. 2024-02-21 not yet calculated CVE-2023-42953
product-security@apple.com
product-security@apple.com
product-security@apple.com
product-security@apple.com
appwrite — appwrite The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APP_STORAGE_CERTIFICATES/.well-known/acme-challenge must exist on disk. (This pathname is automatically created if the user chooses to install Let’s Encrypt certificates via Appwrite.) 2024-02-22 not yet calculated CVE-2022-25377
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
arm — trusted_firmware-a Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however. 2024-02-21 not yet calculated CVE-2023-49100
cve@mitre.org
cve@mitre.org
cve@mitre.org
atlassian — assets_discovery_data_center This High severity Injection vulnerability was introduced in Assets Discovery 1.0 – 6.2.0 (all versions). Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and extracts detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network. This Injection vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to modify the actions taken by a system call which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Assets Discovery customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes (https://confluence.atlassian.com/assetapps/assets-discovery-3-2-1-cloud-6-2-1-data_center-1333987182.html). You can download the latest version of Assets Discovery from the Atlassian Marketplace (https://marketplace.atlassian.com/apps/1214668/assets-discovery?hosting=datacenter&tab=installation). This vulnerability was reported via our Penetration Testing program. 2024-02-20 not yet calculated CVE-2024-21682
security@atlassian.com
security@atlassian.com
security@atlassian.com
security@atlassian.com
atlassian — confluence_data_center This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: ||Affected versions||Fixed versions|| |from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2| |from 8.6.0 to 8.6.1|8.8.0 recommended| |from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS| |from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS| |from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS| |from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS| |from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS| |from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS| |from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS| |from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| Server Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:  ||Affected versions||Fixed versions|| |from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended| |from 8.4.0 to 8.4.5|8.5.6 LTS recommended| |from 8.3.0 to 8.3.4|8.5.6 LTS recommended| |from 8.2.0 to 8.2.3|8.5.6 LTS recommended| |from 8.1.0 to 8.1.4|8.5.6 LTS recommended| |from 8.0.0 to 8.0.4|8.5.6 LTS recommended| |from 7.20.0 to 7.20.3|8.5.6 LTS recommended| |from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS| |Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS| See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]). This vulnerability was reported via our Bug Bounty program. 2024-02-20 not yet calculated CVE-2024-21678
security@atlassian.com
security@atlassian.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted STP, CATPART or MODEL file when parsed in ASMKERN228A.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. 2024-02-22 not yet calculated CVE-2024-0446
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted STP file when parsed in ASMIMPORT228A.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23120
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted MODEL file when parsed in libodxdll.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23121
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted 3DM file when parsed in opennurbs.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23122
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted CATPART file when parsed in CC5Dll.dll and ASMBASE228A.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23123
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted STP file when parsed in ASMIMPORT228A.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23124
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted SLDPRT file when parsed ODXSW_DLL.dll through Autodesk AutoCAD can be used to cause a Stack-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23125
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted CATPART file when parsed CC5Dll.dll through Autodesk AutoCAD can be used to cause a Stack-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23126
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted MODEL, SLDPRT or SLDASM file when parsed VCRUNTIME140.dll through Autodesk AutoCAD can be used to cause a Heap-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23127
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted MODEL file in libodxdll.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23128
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted MODEL 3DM, STP or SLDASM files in opennurbs.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23129
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted SLDASM, or SLDPRT files in ODXSW_DLL.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23130
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted STP file in ASMKERN228A.dll or ASMDATAX228A.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23131
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted STP file in atf_dwg_consumer.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23132
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted STP file in ASMDATAX228A.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2024-02-22 not yet calculated CVE-2024-23133
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted IGS file when tbb.dll parsed through Autodesk AutoCAD can be used in user-after-free vulnerability. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process. 2024-02-22 not yet calculated CVE-2024-23134
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted SLDPRT file when ASMkern228A.dll parsed through Autodesk AutoCAD can be used in user-after-free vulnerability. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process. 2024-02-22 not yet calculated CVE-2024-23135
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted STP file when ASMKERN228A.dll parsed through Autodesk AutoCAD can be used to dereference an untrusted pointer. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process. 2024-02-22 not yet calculated CVE-2024-23136
psirt@autodesk.com
autodesk — autocad,_advance_steel_and_civil_3d A maliciously crafted STP or SLDPRT file when ODXSW_DLL.dll parsed through Autodesk AutoCAD can be used to uninitialized variable. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process. 2024-02-22 not yet calculated CVE-2024-23137
psirt@autodesk.com
bludit — bludit_cms Cross Site Scripting (XSS) vulnerability in Bludit CMS version 3.15, allows remote attackers to execute arbitrary code and obtain sensitive information via edit-content.php. 2024-02-17 not yet calculated CVE-2024-25297
cve@mitre.org
carlos_santiago — he3_app An issue in He3 App for macOS version 2.0.17, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. 2024-02-21 not yet calculated CVE-2024-25249
cve@mitre.org
cve@mitre.org
cve@mitre.org
ce-phoenixcart — phoenixcart A remote code execution (RCE) vulnerability in /admin/define_language.php of CE Phoenix v1.0.8.20 allows attackers to execute arbitrary PHP code via injecting a crafted payload into the file english.php. 2024-02-16 not yet calculated CVE-2024-25415
cve@mitre.org
cve@mitre.org
cve@mitre.org
churchcrm — churchcrm ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. 2024-02-21 not yet calculated CVE-2024-25891
cve@mitre.org
churchcrm — churchcrm ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection (Time-based) via the familyId GET parameter. 2024-02-21 not yet calculated CVE-2024-25892
cve@mitre.org
churchcrm — churchcrm ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. 2024-02-21 not yet calculated CVE-2024-25893
cve@mitre.org
churchcrm — churchcrm ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EventCount POST parameter. 2024-02-21 not yet calculated CVE-2024-25894
cve@mitre.org
churchcrm — churchcrm A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter of /EventAttendance.php 2024-02-21 not yet calculated CVE-2024-25895
cve@mitre.org
churchcrm — churchcrm ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EID POST parameter. 2024-02-21 not yet calculated CVE-2024-25896
cve@mitre.org
churchcrm — churchcrm ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. 2024-02-21 not yet calculated CVE-2024-25897
cve@mitre.org
churchcrm — churchcrm A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php. 2024-02-21 not yet calculated CVE-2024-25898
cve@mitre.org
cmseasy – cmseasy cmseasy V7.7.7.9 has an arbitrary file deletion vulnerability in lib/admin/template_admin.php. 2024-02-22 not yet calculated CVE-2024-25828
cve@mitre.org
code-projects — agro-school_management_system code-projects Agro-School Management System 1.0 is suffers from Incorrect Access Control. 2024-02-22 not yet calculated CVE-2024-25251
cve@mitre.org
cve@mitre.org
crmeb — crmeb SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and before allows a remote attacker to obtain sensitive information via the latitude and longitude parameters in the api/front/store/list component. 2024-02-23 not yet calculated CVE-2024-25469
cve@mitre.org
cve@mitre.org
cskaza — csz_cms An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file. 2024-02-16 not yet calculated CVE-2024-25414
cve@mitre.org
cve@mitre.org
d-link — dir-816 Command Injection vulnerability in D-Link Dir 816 with firmware version DIR-816_A2_v1.10CNB04 allows attackers to run arbitrary commands via the urlAdd parameter. 2024-02-21 not yet calculated CVE-2023-24331
cve@mitre.org
d-link — dir-882 Command Injection vulnerability in D-Link Dir 882 with firmware version DIR882A1_FW130B06 allows attackers to run arbitrary commands via crafted POST request to /HNAP1/. 2024-02-21 not yet calculated CVE-2023-24330
cve@mitre.org
darktrace — threat_visualizer DOM-based HTML injection vulnerability in the main page of Darktrace Threat Visualizer version 6.1.27 (bundle version 61050) and before has been identified. A URL, crafted by a remote attacker and visited by an authenticated user, allows open redirect and potential credential stealing using an injected HTML form. 2024-02-16 not yet calculated CVE-2024-22854
cve@mitre.org
daylight_studio_llc — fuel_cms A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter. 2024-02-22 not yet calculated CVE-2024-25369
cve@mitre.org
emlog — emlog_pro There is a Stored XSS Vulnerability in Emlog Pro 2.2.8 Article Publishing, due to non-filtering of quoted content. 2024-02-21 not yet calculated CVE-2024-25381
cve@mitre.org
cve@mitre.org
enhancesoft — osticket Cross Site Scripting vulnerability in the sanitize function in Enhancesoft osTicket 1.18.0 allows a remote attacker to escalate privileges via a crafted support ticket. 2024-02-20 not yet calculated CVE-2023-46967
cve@mitre.org
enhavo — enhavo_cms Enhavo v0.13.1 was discovered to contain an HTML injection vulnerability in the Author text field under the Blockquote module. This vulnerability allows attackers to execute arbitrary code via a crafted payload. 2024-02-22 not yet calculated CVE-2024-25873
cve@mitre.org
cve@mitre.org
enhavo — enhavo_cms A cross-site scripting (XSS) vulnerability in the New/Edit Article module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Create Tag text field. 2024-02-22 not yet calculated CVE-2024-25874
cve@mitre.org
cve@mitre.org
enhavo — enhavo_cms A cross-site scripting (XSS) vulnerability in the Header module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Undertitle text field. 2024-02-22 not yet calculated CVE-2024-25875
cve@mitre.org
cve@mitre.org
enhavo — enhavo_cms A cross-site scripting (XSS) vulnerability in the Header module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title text field. 2024-02-22 not yet calculated CVE-2024-25876
cve@mitre.org
cve@mitre.org
firebear_studio — improved_import_&_export A XSLT Server Side injection vulnerability in the Import Jobs function of FireBear Improved Import And Export v3.8.6 allows attackers to execute arbitrary commands via a crafted XSLT file. 2024-02-16 not yet calculated CVE-2024-25413
cve@mitre.org
cve@mitre.org
flusity — flusity_cms Flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /cover/addons/info_media_gallery/action/edit_addon_post.php 2024-02-22 not yet calculated CVE-2024-23094
cve@mitre.org
flusity — flusity_cms flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/delete_translation.php 2024-02-22 not yet calculated CVE-2024-26349
cve@mitre.org
flusity — flusity_cms flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/update_contact_form_settings.php 2024-02-22 not yet calculated CVE-2024-26350
cve@mitre.org
flusity — flusity_cms flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/update_place.php 2024-02-22 not yet calculated CVE-2024-26351
cve@mitre.org
flusity — flusity_cms flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/add_places.php 2024-02-22 not yet calculated CVE-2024-26352
cve@mitre.org
flusity — flusity_cms flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/delete_place.php 2024-02-22 not yet calculated CVE-2024-26445
cve@mitre.org
flusity — flusity_cms A cross-site scripting (XSS) vulnerability in the Addon JD Flusity ‘Social block links’ module of flusity-CMS v2.33 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Profile Name text field. 2024-02-22 not yet calculated CVE-2024-26489
cve@mitre.org
flusity — flusity_cms A cross-site scripting (XSS) vulnerability in the Addon JD Simple module of flusity-CMS v2.33 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title text field. 2024-02-22 not yet calculated CVE-2024-26490
cve@mitre.org
flusity — flusity_cms A cross-site scripting (XSS) vulnerability in the Addon JD Flusity ‘Media Gallery with description’ module of flusity-CMS v2.33 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Gallery name text field. 2024-02-22 not yet calculated CVE-2024-26491
cve@mitre.org
flvmeta — flvmeta An issue in flvmeta v.1.2.2 allows a local attacker to cause a denial of service via the flvmeta/src/flv.c:375:21 function in flv_close. 2024-02-22 not yet calculated CVE-2024-25385
cve@mitre.org
cve@mitre.org
frentix_gmbh — openolat_lms The Frentix GmbH OpenOlat LMS is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities. An attacker with rights to create or edit groups can create a course with a name that contains an XSS payload. Furthermore, attackers with the permissions to create or rename a catalog (sub-category) can enter unfiltered input in the name field. In addition, attackers who are allowed to create curriculums can also enter unfiltered input in the name field. This allows an attacker to execute stored JavaScript code with the permissions of the victim in the context of the user’s browser. 2024-02-20 not yet calculated CVE-2024-25973
551230f0-3615-47bd-b7cc-93e92e730bbf
551230f0-3615-47bd-b7cc-93e92e730bbf
frentix_gmbh — openolat_lms The Frentix GmbH OpenOlat LMS is affected by stored a Cross-Site Scripting (XSS) vulnerability. It is possible to upload files within the Media Center of OpenOlat version 18.1.5 (or lower) as an authenticated user without any other rights. Although the filetypes are limited, an SVG image containing an XSS payload can be uploaded. After a successful upload the file can be shared with groups of users (including admins) who can be attacked with the JavaScript payload. 2024-02-20 not yet calculated CVE-2024-25974
551230f0-3615-47bd-b7cc-93e92e730bbf
551230f0-3615-47bd-b7cc-93e92e730bbf
gnome — glade plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a denial of service (application crash). 2024-02-19 not yet calculated CVE-2020-36774
cve@mitre.org
cve@mitre.org
google — android In DevmemIntUnmapPMR of devicemem_server.c, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2023-21165
security@android.com
google — android In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2023-40085
security@android.com
security@android.com
google — android In multiple files, there is a possible way that trimmed content could be included in PDF output due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2023-40093
security@android.com
security@android.com
security@android.com
google — android In applyCustomDescription of SaveUi.java, there is a possible way to view other user’s images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2023-40122
security@android.com
security@android.com
google — android In startInstall of UpdateFetcher.java, there is a possible way to trigger a malicious config update due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0014
security@android.com
google — android In convertToComponentName of DreamService.java, there is a possible way to launch arbitrary protected activities due to intent redirection. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0015
security@android.com
security@android.com
google — android In multiple locations, there is a possible out of bounds read due to a missing bounds check. This could lead to paired device information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0016
security@android.com
security@android.com
google — android In shouldUseNoOpLocation of CameraActivity.java, there is a possible confused deputy due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0017
security@android.com
security@android.com
google — android In convertYUV420Planar16ToY410 of ColorConverter.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0018
security@android.com
security@android.com
google — android In setListening of AppOpsControllerImpl.java, there is a possible way to hide the microphone privacy indicator when restarting systemUI due to a missing check for active recordings. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0019
security@android.com
security@android.com
google — android In onActivityResult of NotificationSoundPreference.java, there is a possible way to hear audio files belonging to a different user due to a confused deputy. This could lead to local information disclosure across users of a device with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0020
security@android.com
security@android.com
google — android In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way for an app in the work profile to enable notification listener services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0021
security@android.com
security@android.com
google — android In ConvertRGBToPlanarYUV of Codec2BufferUtils.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0023
security@android.com
security@android.com
google — android In multiple files, there is a possible way to capture the device screen when disallowed by device policy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0029
security@android.com
security@android.com
google — android In btif_to_bta_response of btif_gatt_util.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0030
security@android.com
security@android.com
google — android In attp_build_read_by_type_value_cmd of att_protocol.cc , there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0031
security@android.com
security@android.com
google — android In queryChildDocuments of FileSystemProvider.java, there is a possible way to request access to directories that should be hidden due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0032
security@android.com
security@android.com
security@android.com
google — android In multiple functions of ashmem-dev.cpp, there is a possible missing seal due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0033
security@android.com
security@android.com
security@android.com
google — android In BackgroundLaunchProcessController, there is a possible way to launch arbitrary activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0034
security@android.com
security@android.com
google — android In onNullBinding of TileLifecycleManager.java, there is a possible way to launch an activity from the background due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0035
security@android.com
security@android.com
google — android In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to bypass the restrictions on starting activities from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0036
security@android.com
security@android.com
google — android In applyCustomDescription of SaveUi.java, there is a possible way to view images belonging to a different user due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0037
security@android.com
security@android.com
google — android In injectInputEventToInputFilter of AccessibilityManagerService.java, there is a possible arbitrary input event injection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0038
security@android.com
security@android.com
google — android In setParameter of MtpPacket.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0040
security@android.com
security@android.com
google — android In removePersistentDot of SystemStatusAnimationSchedulerImpl.kt, there is a possible race condition due to a logic error in the code. This could lead to local escalation of privilege that fails to remove the persistent dot with no additional execution privileges needed. User interaction is not needed for exploitation. 2024-02-16 not yet calculated CVE-2024-0041
security@android.com
security@android.com
google — chrome Out of bounds memory access in Blink in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) 2024-02-21 not yet calculated CVE-2024-1669
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
google — chrome Use after free in Mojo in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 2024-02-21 not yet calculated CVE-2024-1670
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
google — chrome Inappropriate implementation in Site Isolation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium) 2024-02-21 not yet calculated CVE-2024-1671
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
google — chrome Inappropriate implementation in Content Security Policy in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium) 2024-02-21 not yet calculated CVE-2024-1672
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
google — chrome Use after free in Accessibility in Google Chrome prior to 122.0.6261.57 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium) 2024-02-21 not yet calculated CVE-2024-1673
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
google — chrome Inappropriate implementation in Navigation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) 2024-02-21 not yet calculated CVE-2024-1674
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
google — chrome Insufficient policy enforcement in Download in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium) 2024-02-21 not yet calculated CVE-2024-1675
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
google — chrome Inappropriate implementation in Navigation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Low) 2024-02-21 not yet calculated CVE-2024-1676
chrome-cve-admin@google.com
chrome-cve-admin@google.com
chrome-cve-admin@google.com
greenwoodsoftware — less close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. 2024-02-19 not yet calculated CVE-2022-48624
cve@mitre.org
cve@mitre.org
cve@mitre.org
hackmd — codimd HackMD CodiMD <2.5.2 is vulnerable to Denial of Service. 2024-02-21 not yet calculated CVE-2024-22778
cve@mitre.org
hazelcast — hazelcast_platform In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member’s filesystem. 2024-02-16 not yet calculated CVE-2023-45860
cve@mitre.org
cve@mitre.org
hitron — coda Hitron CODA-4582 and CODA-4589 devices have default PSKs that are generated from 5-digit hex values concatenated with a “Hitron” substring, resulting in insufficient entropy (only about one million possibilities). 2024-02-23 not yet calculated CVE-2024-25730
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
hp_inc. — certain_hp_enterprise_laserjet,_hp_laserjet_managed_printers Certain HP Enterprise LaserJet, and HP LaserJet Managed Printers are potentially vulnerable to information disclosure, when connections made by the device back to services enabled by some solutions may have been trusted without the appropriate CA certificate in the device’s certificate store. 2024-02-21 not yet calculated CVE-2024-0407
hp-security-alert@hp.com
hp_inc. — certain_laserjet_pro,_hp_enterprise_laserjet,_hp_laserjet_managed_printers Certain HP LaserJet Pro, HP Enterprise LaserJet, and HP LaserJet Managed Printers are potentially vulnerable to Remote Code Execution due to buffer overflow when rendering fonts embedded in a PDF file. 2024-02-20 not yet calculated CVE-2024-0794
hp-security-alert@hp.com
huawei — harmonyos Vulnerability of serialization/deserialization mismatch in the vibration framework.Successful exploitation of this vulnerability may affect availability. 2024-02-18 not yet calculated CVE-2023-52357
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of missing authentication for critical functions in the Wi-Fi module.Successful exploitation of this vulnerability may affect service confidentiality. 2024-02-18 not yet calculated CVE-2022-48621
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of foreground service restrictions being bypassed in the NMS module.Successful exploitation of this vulnerability may affect service confidentiality. 2024-02-18 not yet calculated CVE-2023-52097
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of configuration defects in some APIs of the audio module.Successful exploitation of this vulnerability may affect availability. 2024-02-18 not yet calculated CVE-2023-52358
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Logic vulnerabilities in the baseband.Successful exploitation of this vulnerability may affect service integrity. 2024-02-18 not yet calculated CVE-2023-52360
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos The VerifiedBoot module has a vulnerability that may cause authentication errors.Successful exploitation of this vulnerability may affect integrity. 2024-02-18 not yet calculated CVE-2023-52361
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Permission management vulnerability in the lock screen module.Successful exploitation of this vulnerability may affect availability. 2024-02-18 not yet calculated CVE-2023-52362
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of defects introduced in the design process in the Control Panel module.Successful exploitation of this vulnerability may cause app processes to be started by mistake. 2024-02-18 not yet calculated CVE-2023-52363
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Out-of-bounds read vulnerability in the smart activity recognition module.Successful exploitation of this vulnerability may cause features to perform abnormally. 2024-02-18 not yet calculated CVE-2023-52365
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Out-of-bounds read vulnerability in the smart activity recognition module.Successful exploitation of this vulnerability may cause features to perform abnormally. 2024-02-18 not yet calculated CVE-2023-52366
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of improper access control in the media library module.Successful exploitation of this vulnerability may affect service availability and integrity. 2024-02-18 not yet calculated CVE-2023-52367
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Input verification vulnerability in the account module.Successful exploitation of this vulnerability may cause features to perform abnormally. 2024-02-18 not yet calculated CVE-2023-52368
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Stack overflow vulnerability in the NFC module.Successful exploitation of this vulnerability may affect service availability and integrity. 2024-02-18 not yet calculated CVE-2023-52369
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Stack overflow vulnerability in the network acceleration module.Successful exploitation of this vulnerability may cause unauthorized file access. 2024-02-18 not yet calculated CVE-2023-52370
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of null references in the motor module.Successful exploitation of this vulnerability may affect availability. 2024-02-18 not yet calculated CVE-2023-52371
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of input parameter verification in the motor module.Successful exploitation of this vulnerability may affect availability. 2024-02-18 not yet calculated CVE-2023-52372
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of permission verification in the content sharing pop-up module.Successful exploitation of this vulnerability may cause unauthorized file sharing. 2024-02-18 not yet calculated CVE-2023-52373
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Permission control vulnerability in the package management module.Successful exploitation of this vulnerability may affect service confidentiality. 2024-02-18 not yet calculated CVE-2023-52374
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Permission control vulnerability in the WindowManagerServices module.Successful exploitation of this vulnerability may affect availability. 2024-02-18 not yet calculated CVE-2023-52375
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Information management vulnerability in the Gallery module.Successful exploitation of this vulnerability may affect service confidentiality. 2024-02-18 not yet calculated CVE-2023-52376
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of input data not being verified in the cellular data module.Successful exploitation of this vulnerability may cause out-of-bounds access. 2024-02-18 not yet calculated CVE-2023-52377
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of incorrect service logic in the WindowManagerServices module.Successful exploitation of this vulnerability may cause features to perform abnormally. 2024-02-18 not yet calculated CVE-2023-52378
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Permission control vulnerability in the calendarProvider module.Successful exploitation of this vulnerability may affect service confidentiality. 2024-02-18 not yet calculated CVE-2023-52379
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Vulnerability of improper access control in the email module.Successful exploitation of this vulnerability may affect service confidentiality. 2024-02-18 not yet calculated CVE-2023-52380
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Script injection vulnerability in the email module.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability. 2024-02-18 not yet calculated CVE-2023-52381
psirt@huawei.com
psirt@huawei.com
huawei — harmonyos Resource reuse vulnerability in the GPU module. Successful exploitation of this vulnerability may affect service confidentiality. 2024-02-18 not yet calculated CVE-2023-52387
psirt@huawei.com
psirt@huawei.com
idocview — idocv An issue in idocv v.14.1.3_20231228 allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script. 2024-02-16 not yet calculated CVE-2024-24377
cve@mitre.org
ietf — quic In QUIC in RFC 9000, the Latency Spin Bit specification (section 17.4) does not strictly constrain the bit value when the feature is disabled, which might allow remote attackers to construct a covert channel with data represented as changes to the bit value. NOTE: The “Sheridan, S., Keane, A. (2015). In Proceedings of the 14th European Conference on Cyber Warfare and Security (ECCWS), University of Hertfordshire, Hatfield, UK.” paper says “Modern Internet communication protocols provide an almost infinite number of ways in which data can be hidden or embed whithin seemingly normal network traffic.” 2024-02-21 not yet calculated CVE-2023-50923
cve@mitre.org
cve@mitre.org
cve@mitre.org
intel — inet _wireless_daemon The Access Point functionality in eapol_auth_key_handle in eapol.c in iNet wireless daemon (IWD) before 2.14 allows attackers to gain unauthorized access to a protected Wi-Fi network. An attacker can complete the EAPOL handshake by skipping Msg2/4 and instead sending Msg4/4 with an all-zero key. 2024-02-22 not yet calculated CVE-2023-52161
cve@mitre.org
cve@mitre.org
cve@mitre.org
jouni_malinen — wpa_supplicant The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network’s TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks. 2024-02-22 not yet calculated CVE-2023-52160
cve@mitre.org
cve@mitre.org
kirby_cms — kirby_cms Kirby CMS v4.1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the URL parameter. 2024-02-22 not yet calculated CVE-2024-26481
cve@mitre.org
kirby_cms — kirby_cms An HTML injection vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted payload. 2024-02-22 not yet calculated CVE-2024-26482
cve@mitre.org
kirby_cms — kirby_cms An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file. 2024-02-22 not yet calculated CVE-2024-26483
cve@mitre.org
kirby_cms — kirby_cms A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link field. 2024-02-22 not yet calculated CVE-2024-26484
cve@mitre.org
liferay — liferay_portal,liferay_dxp Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user’s password reminder answers. 2024-02-20 not yet calculated CVE-2021-29038
cve@mitre.org
liferay — liferay_portal,liferay_dxp Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site’s terms of use via social engineering and enticing the user to visit a malicious page. 2024-02-20 not yet calculated CVE-2021-29050
cve@mitre.org
liferay — liferay_portal,liferay_dxp Liferay Portal before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16 allow remote authenticated users to become the owner of a wiki page by editing the wiki page. 2024-02-20 not yet calculated CVE-2022-45320
cve@mitre.org
linux — linux In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction New elements in this transaction might expired before such transaction ends. Skip sync GC for such elements otherwise commit path might walk over an already released object. Once transaction is finished, async GC will collect such expired element. 2024-02-20 not yet calculated CVE-2023-52433
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential OOBs in smb2_parse_contexts() Validate offsets and lengths before dereferencing create contexts in smb2_parse_contexts(). This fixes following oops when accessing invalid create contexts from server: BUG: unable to handle page fault for address: ffff8881178d8cc3 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 4a01067 P4D 4a01067 PUD 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs] Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00 RSP: 0018:ffffc900007939e0 EFLAGS: 00010216 RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90 RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000 RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000 R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000 R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22 FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x181/0x480 ? search_module_extables+0x19/0x60 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x1b6/0x1c0 ? asm_exc_page_fault+0x26/0x30 ? smb2_parse_contexts+0xa0/0x3a0 [cifs] SMB2_open+0x38d/0x5f0 [cifs] ? smb2_is_path_accessible+0x138/0x260 [cifs] smb2_is_path_accessible+0x138/0x260 [cifs] cifs_is_path_remote+0x8d/0x230 [cifs] cifs_mount+0x7e/0x350 [cifs] cifs_smb3_do_mount+0x128/0x780 [cifs] smb3_get_tree+0xd9/0x290 [cifs] vfs_get_tree+0x2c/0x100 ? capable+0x37/0x70 path_mount+0x2d7/0xb80 ? srso_alias_return_thunk+0x5/0xfbef5 ? _raw_spin_unlock_irqrestore+0x44/0x60 __x64_sys_mount+0x11a/0x150 do_syscall_64+0x47/0xf0 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f8737657b1e 2024-02-20 not yet calculated CVE-2023-52434
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able to crash the kernel in skb_segment() [1] GSO_BY_FRAGS is a forbidden value, but unfortunately the following computation in skb_segment() can reach it quite easily : mss = mss * partial_segs; 65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to a bad final result. Make sure to limit segmentation so that the new mss value is smaller than GSO_BY_FRAGS. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626 __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f8692032aa9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9 RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480 R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003 </TASK> Modules linked in: —[ end trace 0000000000000000 ]— RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R0 —truncated— 2024-02-20 not yet calculated CVE-2023-52435
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: f2fs: explicitly null-terminate the xattr list When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed. 2024-02-20 not yet calculated CVE-2023-52436
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker’s callback The mmap read lock is used during the shrinker’s callback, which means that using alloc->vma pointer isn’t safe as it can race with munmap(). As of commit dd2283f2605e (“mm: mmap: zap pages with read mmap_sem in munmap”) the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker’s debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway. 2024-02-20 not yet calculated CVE-2023-52438
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ——————————————————- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ——————————————————- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock. 2024-02-20 not yet calculated CVE-2023-52439
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() If authblob->SessionKey.Length is bigger than session key size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes. cifs_arc4_crypt copy to session key array from SessionKey from client. 2024-02-21 not yet calculated CVE-2023-52440
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out of bounds in init_smb2_rsp_hdr() If client send smb2 negotiate request and then send smb1 negotiate request, init_smb2_rsp_hdr is called for smb1 negotiate request since need_neg is set to false. This patch ignore smb1 packets after ->need_neg is set to false. 2024-02-21 not yet calculated CVE-2023-52441
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate session id and tree id in compound request `smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session() will always return the first request smb2 header in a compound request. if `SMB2_TREE_CONNECT_HE` is the first command in compound request, will return 0, i.e. The tree id check is skipped. This patch use ksmbd_req_buf_next() to get current command in compound. 2024-02-21 not yet calculated CVE-2023-52442
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like “profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {…}” a string “:samba-dcerpcd” is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats “:samba-dcerpcd” as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> —[ end trace 0000000000000000 ]— RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment “a ns name without a following profile is allowed” inside. AFAICS, nothing can prevent unpacked “name” to be in form like “:samba-dcerpcd” – it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org). 2024-02-22 not yet calculated CVE-2023-52443
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid dirent corruption As Al reported in link[1]: f2fs_rename() … if (old_dir != new_dir && !whiteout) f2fs_set_link(old_inode, old_dir_entry, old_dir_page, new_dir); else f2fs_put_page(old_dir_page, 0); You want correct inumber in the “..” link. And cross-directory rename does move the source to new parent, even if you’d been asked to leave a whiteout in the old place. [1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/ With below testcase, it may cause dirent corruption, due to it missed to call f2fs_set_link() to update “..” link to new directory. – mkdir -p dir/foo – renameat2 -w dir/foo bar [ASSERT] (__chk_dots_dentries:1421) –> Bad inode number[0x4] for ‘..’, parent parent ino is [0x3] [FSCK] other corrupted bugs [Fail] 2024-02-22 not yet calculated CVE-2023-52444
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack. 2024-02-22 not yet calculated CVE-2023-52445
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don’t use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map. 2024-02-22 not yet calculated CVE-2023-52447
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump Syzkaller has reported a NULL pointer dereference when accessing rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in gfs2_rgrp_dump() to prevent that. 2024-02-22 not yet calculated CVE-2023-52448
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc – NULL Detailed reproduction information available at the Link [1], In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME. 2024-02-22 not yet calculated CVE-2023-52449
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology() Get logical socket id instead of physical id in discover_upi_topology() to avoid out-of-bound access on ‘upi = &type->topology[nid][idx];’ line that leads to NULL pointer dereference in upi_fill_topology() 2024-02-22 not yet calculated CVE-2023-52450
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/memhp: Fix access beyond end of drmem array dlpar_memory_remove_by_index() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer: pr_debug(“Failed to hot-remove memory at %llxn”, lmb->base_addr); This was found by inspection and confirmed with KASAN: pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 ================================================================== BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 Read of size 8 at addr c000000364e97fd0 by task bash/949 dump_stack_lvl+0xa4/0xfc (unreliable) print_report+0x214/0x63c kasan_report+0x140/0x2e0 __asan_load8+0xa8/0xe0 dlpar_memory+0x298/0x1658 handle_dlpar_errorlog+0x130/0x1d0 dlpar_store+0x18c/0x3e0 kobj_attr_store+0x68/0xa0 sysfs_kf_write+0xc4/0x110 kernfs_fop_write_iter+0x26c/0x390 vfs_write+0x2d4/0x4e0 ksys_write+0xac/0x1a0 system_call_exception+0x268/0x530 system_call_vectored_common+0x15c/0x2ec Allocated by task 1: kasan_save_stack+0x48/0x80 kasan_set_track+0x34/0x50 kasan_save_alloc_info+0x34/0x50 __kasan_kmalloc+0xd0/0x120 __kmalloc+0x8c/0x320 kmalloc_array.constprop.0+0x48/0x5c drmem_init+0x2a0/0x41c do_one_initcall+0xe0/0x5c0 kernel_init_freeable+0x4ec/0x5a0 kernel_init+0x30/0x1e0 ret_from_kernel_user_thread+0x14/0x1c The buggy address belongs to the object at c000000364e80000 which belongs to the cache kmalloc-128k of size 131072 The buggy address is located 0 bytes to the right of allocated 98256-byte region [c000000364e80000, c000000364e97fd0) ================================================================== pseries-hotplug-mem: Failed to hot-remove memory at 0 Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry. 2024-02-22 not yet calculated CVE-2023-52451
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already “large enough”, the access was permitted, but otherwise the access was rejected instead of being allowed to “grow the stack”. This undesired rejection was happening in two places: – in check_stack_slot_within_bounds() – in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn’t be updated – global_func16 – because it can’t run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they’re inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function’s needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead. This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv. 2024-02-22 not yet calculated CVE-2023-52452
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume When the optional PRE_COPY support was added to speed up the device compatibility check, it failed to update the saving/resuming data pointers based on the fd offset. This results in migration data corruption and when the device gets started on the destination the following error is reported in some cases, [ 478.907684] arm-smmu-v3 arm-smmu-v3.2.auto: event 0x10 received: [ 478.913691] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000310200000010 [ 478.919603] arm-smmu-v3 arm-smmu-v3.2.auto: 0x000002088000007f [ 478.925515] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000 [ 478.931425] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000 [ 478.947552] hisi_zip 0000:31:00.0: qm_axi_rresp [error status=0x1] found [ 478.955930] hisi_zip 0000:31:00.0: qm_db_timeout [error status=0x400] found [ 478.955944] hisi_zip 0000:31:00.0: qm sq doorbell timeout in function 2 2024-02-23 not yet calculated CVE-2023-52453
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec(). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Call trace: process_one_work+0x174/0x3c8 worker_thread+0x2d0/0x3e8 kthread+0x104/0x110 Fix the bug by raising a fatal error if DATAL isn’t coherent with the packet size. Also, the PDU length should never exceed the MAXH2CDATA parameter which has been communicated to the host in nvmet_tcp_handle_icreq(). 2024-02-23 not yet calculated CVE-2023-52454
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: iommu: Don’t reserve 0-length IOVA region When the bootloader/firmware doesn’t setup the framebuffers, their address and size are 0 in “iommu-addresses” property. If IOVA region is reserved with 0 length, then it ends up corrupting the IOVA rbtree with an entry which has pfn_hi < pfn_lo. If we intend to use display driver in kernel without framebuffer then it’s causing the display IOMMU mappings to fail as entire valid IOVA space is reserved when address and length are passed as 0. An ideal solution would be firmware removing the “iommu-addresses” property and corresponding “memory-region” if display is not present. But the kernel should be able to handle this by checking for size of IOVA region and skipping the IOVA reservation if size is 0. Also, add a warning if firmware is requesting 0-length IOVA region reservation. 2024-02-23 not yet calculated CVE-2023-52455
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: serial: imx: fix tx statemachine deadlock When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TX_EN pin. When the TTY port is closed in the middle of a transmission (for instance during userland application crash), imx_uart_shutdown disables the interface and disables the Transmission Complete interrupt. afer that, imx_uart_stop_tx bails on an incomplete transmission, to be retriggered by the TC interrupt. This interrupt is disabled and therefore the tx statemachine never transitions out of SEND. The statemachine is in deadlock now, and the TX_EN remains low, making the interface useless. imx_uart_stop_tx now checks for incomplete transmission AND whether TC interrupts are enabled before bailing to be retriggered. This makes sure the state machine handling is reached, and is properly set to WAIT_AFTER_SEND. 2024-02-23 not yet calculated CVE-2023-52456
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: serial: 8250: omap: Don’t skip resource freeing if pm_runtime_resume_and_get() failed Returning an error code from .remove() makes the driver core emit the little helpful error message: remove callback returned a non-zero value. This will be ignored. and then remove the device anyhow. So all resources that were not freed are leaked in this case. Skipping serial8250_unregister_port() has the potential to keep enough of the UART around to trigger a use-after-free. So replace the error return (and with it the little helpful error message) by a more useful error message and continue to cleanup. 2024-02-23 not yet calculated CVE-2023-52457
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: block: add check that partition length needs to be aligned with block size Before calling add partition or resize partition, there is no check on whether the length is aligned with the logical block size. If the logical block size of the disk is larger than 512 bytes, then the partition size maybe not the multiple of the logical block size, and when the last sector is read, bio_truncate() will adjust the bio size, resulting in an IO error if the size of the read command is smaller than the logical block size.If integrity data is supported, this will also result in a null pointer dereference when calling bio_integrity_free. 2024-02-23 not yet calculated CVE-2023-52458
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Fix duplicated list deletion The list deletion call dropped here is already called from the helper function in the line before. Having a second list_del() call results in either a warning (with CONFIG_DEBUG_LIST=y): list_del corruption, c46c8198->next is LIST_POISON1 (00000100) If CONFIG_DEBUG_LIST is disabled the operation results in a kernel error due to NULL pointer dereference. 2024-02-23 not yet calculated CVE-2023-52459
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL pointer dereference at hibernate During hibernate sequence the source context might not have a clk_mgr. So don’t use it to look for DML2 support. 2024-02-23 not yet calculated CVE-2023-52460
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix bounds limiting when given a malformed entity If we’re given a malformed entity in drm_sched_entity_init()–shouldn’t happen, but we verify–with out-of-bounds priority value, we set it to an allowed value. Fix the expression which sets this limit. 2024-02-23 not yet calculated CVE-2023-52461
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: bpf: fix check for attempt to corrupt spilled pointer When register is spilled onto a stack as a 1/2/4-byte register, we set slot_type[BPF_REG_SIZE – 1] (plus potentially few more below it, depending on actual spill size). So to check if some stack slot has spilled register we need to consult slot_type[7], not slot_type[0]. To avoid the need to remember and double-check this in the future, just use is_spilled_reg() helper. 2024-02-23 not yet calculated CVE-2023-52462
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: efivarfs: force RO when remounting if SetVariable is not supported If SetVariable at runtime is not supported by the firmware we never assign a callback for that function. At the same time mount the efivarfs as RO so no one can call that. However, we never check the permission flags when someone remounts the filesystem as RW. As a result this leads to a crash looking like this: $ mount -o remount,rw /sys/firmware/efi/efivars $ efi-updatevar -f PK.auth PK [ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 303.280482] Mem abort info: [ 303.280854] ESR = 0x0000000086000004 [ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits [ 303.282016] SET = 0, FnV = 0 [ 303.282414] EA = 0, S1PTW = 0 [ 303.282821] FSC = 0x04: level 0 translation fault [ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000 [ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP [ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6 [ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1 [ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023 [ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 303.292123] pc : 0x0 [ 303.292443] lr : efivar_set_variable_locked+0x74/0xec [ 303.293156] sp : ffff800008673c10 [ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000 [ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027 [ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000 [ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000 [ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54 [ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4 [ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002 [ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201 [ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc [ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000 [ 303.303341] Call trace: [ 303.303679] 0x0 [ 303.303938] efivar_entry_set_get_size+0x98/0x16c [ 303.304585] efivarfs_file_write+0xd0/0x1a4 [ 303.305148] vfs_write+0xc4/0x2e4 [ 303.305601] ksys_write+0x70/0x104 [ 303.306073] __arm64_sys_write+0x1c/0x28 [ 303.306622] invoke_syscall+0x48/0x114 [ 303.307156] el0_svc_common.constprop.0+0x44/0xec [ 303.307803] do_el0_svc+0x38/0x98 [ 303.308268] el0_svc+0x2c/0x84 [ 303.308702] el0t_64_sync_handler+0xf4/0x120 [ 303.309293] el0t_64_sync+0x190/0x194 [ 303.309794] Code: ???????? ???????? ???????? ???????? (????????) [ 303.310612] —[ end trace 0000000000000000 ]— Fix this by adding a .reconfigure() function to the fs operations which we can use to check the requested flags and deny anything that’s not RO if the firmware doesn’t implement SetVariable at runtime. 2024-02-23 not yet calculated CVE-2023-52463
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: EDAC/thunderx: Fix possible out-of-bounds string access Enabling -Wstringop-overflow globally exposes a warning for a common bug in the usage of strncat(): drivers/edac/thunderx_edac.c: In function ‘thunderx_ocx_com_threaded_isr’: drivers/edac/thunderx_edac.c:1136:17: error: ‘strncat’ specified bound 1024 equals destination size [-Werror=stringop-overflow=] 1136 | strncat(msg, other, OCX_MESSAGE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ … 1145 | strncat(msg, other, OCX_MESSAGE_SIZE); … 1150 | strncat(msg, other, OCX_MESSAGE_SIZE); … Apparently the author of this driver expected strncat() to behave the way that strlcat() does, which uses the size of the destination buffer as its third argument rather than the length of the source buffer. The result is that there is no check on the size of the allocated buffer. Change it to strlcat(). [ bp: Trim compiler output, fixup commit message. ] 2024-02-23 not yet calculated CVE-2023-52464
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active. 2024-02-20 not yet calculated CVE-2024-26581
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with partial reads and async decrypt tls_decrypt_sg doesn’t take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb. 2024-02-21 not yet calculated CVE-2024-26582
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don’t futz with reiniting the completion, either, we are now tightly controlling when completion fires. 2024-02-21 not yet calculated CVE-2024-26583
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we’re setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina’s original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical. 2024-02-21 not yet calculated CVE-2024-26584
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it’s the inverse order of what the submitting thread will do. 2024-02-21 not yet calculated CVE-2024-26585
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic – not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 […] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b 2024-02-22 not yet calculated CVE-2024-26586
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: net: netdevsim: don’t try to destroy PHC on VFs PHC gets initialized in nsim_init_netdevsim(), which is only called if (nsim_dev_port_is_pf()). Create a counterpart of nsim_init_netdevsim() and move the mock_phc_destroy() there. This fixes a crash trying to destroy netdevsim with VFs instantiated, as caught by running the devlink.sh test: BUG: kernel NULL pointer dereference, address: 00000000000000b8 RIP: 0010:mock_phc_destroy+0xd/0x30 Call Trace: <TASK> nsim_destroy+0x4a/0x70 [netdevsim] __nsim_dev_port_del+0x47/0x70 [netdevsim] nsim_dev_reload_destroy+0x105/0x120 [netdevsim] nsim_drv_remove+0x2f/0xb0 [netdevsim] device_release_driver_internal+0x1a1/0x210 bus_remove_device+0xd5/0x120 device_del+0x159/0x490 device_unregister+0x12/0x30 del_device_store+0x11a/0x1a0 [netdevsim] kernfs_fop_write_iter+0x130/0x1d0 vfs_write+0x30b/0x4b0 ksys_write+0x69/0xf0 do_syscall_64+0xcc/0x1e0 entry_SYSCALL_64_after_hwframe+0x6f/0x77 2024-02-22 not yet calculated CVE-2024-26587
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Prevent out-of-bounds memory access The test_tag test triggers an unhandled page fault: # ./test_tag [ 130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70 [ 130.640501] Oops[#3]: [ 130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G D O 6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a [ 130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 [ 130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40 [ 130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000 [ 130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000 [ 130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70 [ 130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0 [ 130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0 [ 130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000 [ 130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000 [ 130.641900] ra: 9000000003139e70 build_body+0x1fcc/0x4988 [ 130.642007] ERA: 9000000003137f7c build_body+0xd8/0x4988 [ 130.642112] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 130.642261] PRMD: 00000004 (PPLV0 +PIE -PWE) [ 130.642353] EUEN: 00000003 (+FPE +SXE -ASXE -BTE) [ 130.642458] ECFG: 00071c1c (LIE=2-4,10-12 VS=7) [ 130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) [ 130.642658] BADV: ffff80001b898004 [ 130.642719] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) [ 130.642815] Modules linked in: [last unloaded: bpf_testmod(O)] [ 130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd) [ 130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8 [ 130.643213] 0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0 [ 130.643378] 0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000 [ 130.643538] 0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000 [ 130.643685] 00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000 [ 130.643831] ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000 [ 130.643983] 0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558 [ 130.644131] 0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000 [ 130.644276] 9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc [ 130.644423] ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0 [ 130.644572] … [ 130.644629] Call Trace: [ 130.644641] [<9000000003137f7c>] build_body+0xd8/0x4988 [ 130.644785] [<900000000313ca94>] bpf_int_jit_compile+0x228/0x4ec [ 130.644891] [<90000000032acfb0>] bpf_prog_select_runtime+0x158/0x1b0 [ 130.645003] [<90000000032b3504>] bpf_prog_load+0x760/0xb44 [ 130.645089] [<90000000032b6744>] __sys_bpf+0xbb8/0x2588 [ 130.645175] [<90000000032b8388>] sys_bpf+0x20/0x2c [ 130.645259] [<9000000003f6ab38>] do_syscall+0x7c/0x94 [ 130.645369] [<9000000003121c5c>] handle_syscall+0xbc/0x158 [ 130.645507] [ 130.645539] Code: 380839f6 380831f9 28412bae <24000ca6> 004081ad 0014cb50 004083e8 02bff34c 58008e91 [ 130.645729] [ 130.646418] —[ end trace 0000000000000000 ]— On my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at loading a BPF prog with 2039 instructions: prog = (struct bpf_prog *)ffff80001b894000 insn = (struct bpf_insn *)(prog->insnsi)fff —truncated— 2024-02-22 not yet calculated CVE-2024-26588
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 […] Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with “R7 pointer arithmetic on flow_keys prohibited”. 2024-02-22 not yet calculated CVE-2024-26589
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: erofs: fix inconsistent per-file compression format EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization. However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it’s not set in `sbi->available_compr_algs`. This can lead to an unexpected “BUG: kernel NULL pointer dereference” if the corresponding decompressor isn’t built-in. Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously. 2024-02-22 not yet calculated CVE-2024-26590
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: – prog->aux->dst_trampoline == NULL – tgt_prog == NULL (because we did not provide target_fd to link_create) – prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) – the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation. 2024-02-22 not yet calculated CVE-2024-26591
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix UAF issue in ksmbd_tcp_new_connection() The race is between the handling of a new TCP connection and its disconnection. It leads to UAF on `struct tcp_transport` in ksmbd_tcp_new_connection() function. 2024-02-22 not yet calculated CVE-2024-26592
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read. 2024-02-23 not yet calculated CVE-2024-26593
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate mech token in session setup If client send invalid mech token in session setup request, ksmbd validate and make the error if it is invalid. 2024-02-23 not yet calculated CVE-2024-26594
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after failing to attach the region to an ACL group, we hit a NULL pointer dereference upon ‘region->group->tcam’ [1]. Fix by retrieving the ‘tcam’ pointer using mlxsw_sp_acl_to_tcam(). [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 […] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 […] Call Trace: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b 2024-02-23 not yet calculated CVE-2024-26595
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events After the blamed commit, we started doing this dereference for every NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system. static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev) { struct dsa_user_priv *p = netdev_priv(dev); return p->dp; } Which is obviously bogus, because not all net_devices have a netdev_priv() of type struct dsa_user_priv. But struct dsa_user_priv is fairly small, and p->dp means dereferencing 8 bytes starting with offset 16. Most drivers allocate that much private memory anyway, making our access not fault, and we discard the bogus data quickly afterwards, so this wasn’t caught. But the dummy interface is somewhat special in that it calls alloc_netdev() with a priv size of 0. So every netdev_priv() dereference is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event with a VLAN as its new upper: $ ip link add dummy1 type dummy $ ip link add link dummy1 name dummy1.100 type vlan id 100 [ 43.309174] ================================================================== [ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8 [ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374 [ 43.330058] [ 43.342436] Call trace: [ 43.366542] dsa_user_prechangeupper+0x30/0xe8 [ 43.371024] dsa_user_netdevice_event+0xb38/0xee8 [ 43.375768] notifier_call_chain+0xa4/0x210 [ 43.379985] raw_notifier_call_chain+0x24/0x38 [ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8 [ 43.389120] netdev_upper_dev_link+0x70/0xa8 [ 43.393424] register_vlan_dev+0x1bc/0x310 [ 43.397554] vlan_newlink+0x210/0x248 [ 43.401247] rtnl_newlink+0x9fc/0xe30 [ 43.404942] rtnetlink_rcv_msg+0x378/0x580 Avoid the kernel oops by dereferencing after the type check, as customary. 2024-02-23 not yet calculated CVE-2024-26596
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) – 1. Hence use `IFLA_RMNET_MAX` here. 2024-02-23 not yet calculated CVE-2024-26597
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt. 2024-02-23 not yet calculated CVE-2024-26598
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
linux — linux In the Linux kernel, the following vulnerability has been resolved: pwm: Fix out-of-bounds access in of_pwm_single_xlate() With args->args_count == 2 args->args[2] is not defined. Actually the flags are contained in args->args[1]. 2024-02-23 not yet calculated CVE-2024-26599
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
416baaa9-dc9f-4396-8d5f-8c081fb06d67
livebox — collaboration_vdesk An issue was discovered in LIVEBOX Collaboration vDesk through v031. A URL Redirection to an Untrusted Site (Open Redirect) can occur under the /api/v1/notification/createnotification endpoint, allowing an authenticated user to send an arbitrary push notification to any other user of the system. This push notification can include an (invisible) clickable link. 2024-02-21 not yet calculated CVE-2022-45169
cve@mitre.org
livebox — collaboration_vdesk An issue was discovered in LIVEBOX Collaboration vDesk through v031. An Observable Response Discrepancy can occur under the /api/v1/vdeskintegration/user/isenableuser endpoint, the /api/v1/sharedsearch?search={NAME]+{SURNAME] endpoint, and the /login endpoint. The web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. 2024-02-21 not yet calculated CVE-2022-45177
cve@mitre.org
livebox — collaboration_vdesk An issue was discovered in LIVEBOX Collaboration vDesk through v031. A basic XSS vulnerability exists under the /api/v1/vdeskintegration/todo/createorupdate endpoint via the title parameter and /dashboard/reminders. A remote user (authenticated to the product) can store arbitrary HTML code in the reminder section title in order to corrupt the web page (for example, by creating phishing sections to exfiltrate victims’ credentials). 2024-02-21 not yet calculated CVE-2022-45179
cve@mitre.org
maxon — cinema_4d An issue in MAXON CINEMA 4D R2024.2.0 allows a local attacker to execute arbitrary code via a crafted c4d_base.xdl64 file. 2024-02-22 not yet calculated CVE-2024-25423
cve@mitre.org
cve@mitre.org
cve@mitre.org
miguel_ribeiro — wallos Wallos 0.9 is vulnerable to Cross Site Scripting (XSS) in all text-based input fields without proper validation, excluding those requiring specific formats like date fields. 2024-02-23 not yet calculated CVE-2024-22776
cve@mitre.org
cve@mitre.org
mozilla — firefox When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. 2024-02-20 not yet calculated CVE-2024-1546
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
mozilla — firefox Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website’s URL shown). This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. 2024-02-20 not yet calculated CVE-2024-1547
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
mozilla — firefox A website could have obscured the fullscreen notification by using a dropdown select input element. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. 2024-02-20 not yet calculated CVE-2024-1548
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
mozilla — firefox If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. 2024-02-20 not yet calculated CVE-2024-1549
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
mozilla — firefox A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user’s mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. 2024-02-20 not yet calculated CVE-2024-1550
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
mozilla — firefox Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. 2024-02-20 not yet calculated CVE-2024-1551
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
mozilla — firefox Incorrect code generation could have led to unexpected numeric conversions and potential undefined behavior.*Note:* This issue only affects 32-bit ARM devices. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. 2024-02-20 not yet calculated CVE-2024-1552
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
mozilla — firefox Memory safety bugs present in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. 2024-02-20 not yet calculated CVE-2024-1553
security@mozilla.org
security@mozilla.org
security@mozilla.org
security@mozilla.org
mozilla — firefox The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a `fetch()` response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response. This vulnerability affects Firefox < 123. 2024-02-20 not yet calculated CVE-2024-1554
security@mozilla.org
security@mozilla.org
mozilla — firefox When opening a website using the `firefox://` protocol handler, SameSite cookies were not properly respected. This vulnerability affects Firefox < 123. 2024-02-20 not yet calculated CVE-2024-1555
security@mozilla.org
security@mozilla.org
mozilla — firefox The incorrect object was checked for NULL in the built-in profiler, potentially leading to invalid memory access and undefined behavior. *Note:* This issue only affects the application when the profiler is running. This vulnerability affects Firefox < 123. 2024-02-20 not yet calculated CVE-2024-1556
security@mozilla.org
security@mozilla.org
mozilla — firefox Memory safety bugs present in Firefox 122. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 123. 2024-02-20 not yet calculated CVE-2024-1557
security@mozilla.org
security@mozilla.org
mozilla — firefox_for_ios Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar. This vulnerability affects Firefox for iOS < 123. 2024-02-22 not yet calculated CVE-2024-26281
security@mozilla.org
security@mozilla.org
mozilla — firefox_for_ios Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page. This vulnerability affects Firefox for iOS < 123. 2024-02-22 not yet calculated CVE-2024-26282
security@mozilla.org
security@mozilla.org
mozilla — firefox_for_ios An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. This vulnerability affects Firefox for iOS < 123. 2024-02-22 not yet calculated CVE-2024-26283
security@mozilla.org
security@mozilla.org
mozilla — focus_for_ios An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme and a timeout race condition. This vulnerability affects Focus for iOS < 122. 2024-02-22 not yet calculated CVE-2024-1563
security@mozilla.org
security@mozilla.org
mozilla — focus_for_ios Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website, if the victim had a link to the attacker’s website. This vulnerability affects Focus for iOS < 123. 2024-02-22 not yet calculated CVE-2024-26284
security@mozilla.org
security@mozilla.org
mrcms — mrcms SQL Injection vulnerability in MRCMS v3.1.2 allows attackers to run arbitrary system commands via the status parameter. 2024-02-20 not yet calculated CVE-2024-25428
cve@mitre.org
mz-automation — iec61859 Buffer Overflow vulnerability in mz-automation.de libiec61859 v.1.4.0 allows a remote attacker to cause a denial of service via the mmsServer_handleGetNameListRequest function to the mms_getnamelist_service component. 2024-02-20 not yet calculated CVE-2024-25366
cve@mitre.org
cve@mitre.org
cve@mitre.org
ncurses — ncurses ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c. 2024-02-16 not yet calculated CVE-2023-45918
cve@mitre.org
netis — wf2780 Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the wps_ap_ssid5g parameter 2024-02-22 not yet calculated CVE-2024-25850
cve@mitre.org
cve@mitre.org
netis — wf2780 Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the config_sequence parameter in other_para of cgitest.cgi. 2024-02-22 not yet calculated CVE-2024-25851
cve@mitre.org
cve@mitre.org
node.js — node.js The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: “` –allow-fs-read=/home/node/.ssh/*.pub “` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. 2024-02-20 not yet calculated CVE-2024-21890
support@hackerone.com
node.js — node.js Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. 2024-02-20 not yet calculated CVE-2024-21891
support@hackerone.com
node.js — node.js On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process’s elevated privileges. 2024-02-20 not yet calculated CVE-2024-21892
support@hackerone.com
node.js — node.js The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. 2024-02-20 not yet calculated CVE-2024-21896
support@hackerone.com
node.js — node.js A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits. 2024-02-20 not yet calculated CVE-2024-22019
support@hackerone.com
novel-plus — novel-plus An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file. 2024-02-20 not yet calculated CVE-2024-25274
cve@mitre.org
cve@mitre.org
openvpn — openvpn The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables. 2024-02-21 not yet calculated CVE-2023-7235
security@openvpn.net
openvpn — openvpn_connect The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable 2024-02-20 not yet calculated CVE-2023-7245
security@openvpn.net
security@openvpn.net
pmb_services — pmb SQL Injection vulnerability in PMB Services PMB v.7.4.7 and before allows a remote unauthenticated attacker to execute arbitrary code via the query parameter in the /admin/convert/export_z3950.php endpoint. 2024-02-21 not yet calculated CVE-2023-37177
cve@mitre.org
pmb_services — pmb SQL injection vulnerability in PMB v.7.4.7 and earlier allows a remote attacker to execute arbitrary code via the thesaurus parameter in export_skos.php. 2024-02-21 not yet calculated CVE-2023-38844
cve@mitre.org
pmb_services — pmb A SQL Injection vulnerability in /admin/convert/export.class.php in PMB 7.4.7 and earlier versions allows remote unauthenticated attackers to execute arbitrary SQL commands via the query parameter in get_next_notice function. 2024-02-21 not yet calculated CVE-2023-51828
cve@mitre.org
pmb_services — pmb A SQL Injection vulnerability in /pmb/opac_css/includes/sessions.inc.php in PMB 7.4.7 and earlier allows remote unauthenticated attackers to inject arbitrary SQL commands via the PmbOpac-LOGIN cookie value. 2024-02-21 not yet calculated CVE-2023-52153
cve@mitre.org
pmb_services — pmb File Upload vulnerability in pmb/camera_upload.php in PMB 7.4.7 and earlier allows attackers to run arbitrary code via upload of crafted PHTML files. 2024-02-21 not yet calculated CVE-2023-52154
cve@mitre.org
pmb_services — pmb A SQL Injection vulnerability in /admin/sauvegarde/run.php in PMB 7.4.7 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via the sauvegardes variable through the /admin/sauvegarde/run.php endpoint. 2024-02-21 not yet calculated CVE-2023-52155
cve@mitre.org
prestashop — prestashop In the module “Survey TMA” (ecomiz_survey_tma) up to version 2.0.0 from Ecomiz for PrestaShop, a guest can download personal information without restriction. 2024-02-23 not yet calculated CVE-2024-24309
cve@mitre.org
cve@mitre.org
prestashop — prestashop In the module “Generate barcode on invoice / delivery slip” (ecgeneratebarcode) from Ether Creation <= 1.2.0 for PrestaShop, a guest can perform SQL injection. 2024-02-23 not yet calculated CVE-2024-24310
cve@mitre.org
cve@mitre.org
projeqtor — projeqtor Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 allows a remote attacker to execute arbitrary code via a crafted script to thecheckvalidHtmlText function in the ack.php and security.php files. 2024-02-20 not yet calculated CVE-2023-49034
cve@mitre.org
qemu — qemu QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len. 2024-02-20 not yet calculated CVE-2024-24474
cve@mitre.org
cve@mitre.org
cve@mitre.org
qemu — qemu An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations. 2024-02-19 not yet calculated CVE-2024-26327
cve@mitre.org
qemu — qemu An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and thus interaction with hw/nvme/ctrl.c is mishandled. 2024-02-19 not yet calculated CVE-2024-26328
cve@mitre.org
react_ative — document_picker Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component. 2024-02-16 not yet calculated CVE-2024-25466
cve@mitre.org
cve@mitre.org
redaxo — redaxo_cms An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php. 2024-02-17 not yet calculated CVE-2024-25298
cve@mitre.org
ros — ros2 Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a buffer overflow via the nav2_controller process. This vulnerability is triggerd via sending a crafted .yaml file. 2024-02-20 not yet calculated CVE-2024-25196
cve@mitre.org
cve@mitre.org
cve@mitre.org
ros — ros2 Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a NULL pointer dereference via the isCurrent() function at /src/layered_costmap.cpp. 2024-02-20 not yet calculated CVE-2024-25197
cve@mitre.org
cve@mitre.org
cve@mitre.org
cve@mitre.org
ros — ros2 Inappropriate pointer order of laser_scan_filter_.reset() and tf_listener_.reset() (amcl_node.cpp) in Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions leads to a use-after-free. 2024-02-20 not yet calculated CVE-2024-25198
cve@mitre.org
cve@mitre.org
cve@mitre.org
ros — ros2 Inappropriate pointer order of map_sub_ and map_free(map_) (amcl_node.cpp) in Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions leads to a use-after-free. 2024-02-20 not yet calculated CVE-2024-25199
cve@mitre.org
cve@mitre.org
cve@mitre.org
serenity — serenity Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character. 2024-02-19 not yet calculated CVE-2024-26318
cve@mitre.org
skinsoft — s-museum SKINsoft S-Museum 7.02.3 allows XSS via the filename of an uploaded file. Unlike in CVE-2024-25802, the attack payload is in the name (not the content) of a file. 2024-02-22 not yet calculated CVE-2024-25801
cve@mitre.org
skinsoft — s-museum SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content. 2024-02-22 not yet calculated CVE-2024-25802
cve@mitre.org
slims — slims_9_bulian SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is vulnerable to SQL Injection via pop-scope-vocabolary.php. 2024-02-21 not yet calculated CVE-2024-25288
cve@mitre.org
cve@mitre.org
sourceware.org — elfutils elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c. 2024-02-20 not yet calculated CVE-2024-25260
cve@mitre.org
cve@mitre.org
cve@mitre.org
td_bank — td_advanced_dashboard The TD Bank TD Advanced Dashboard client through 3.0.3 for macOS allows arbitrary code execution because of the lack of electron::fuses::IsRunAsNodeEnabled (i.e., ELECTRON_RUN_AS_NODE can be used in production). This makes it easier for a compromised process to access banking information. 2024-02-21 not yet calculated CVE-2023-50975
cve@mitre.org
cve@mitre.org
cve@mitre.org
teltonika – rut240 Teltonika RUT240 devices with firmware before 07.04.2, when bridge mode is used, sometimes make SSH and HTTP services available on the IPv6 WAN interface even though the UI shows that they are only available on the LAN interface. 2024-02-17 not yet calculated CVE-2023-31728
cve@mitre.org
cve@mitre.org
teltonika — trb1 Teltonika TRB1-series devices with firmware before TRB1_R_00.07.05.2 allow attackers to exploit a firmware vulnerability via Ethernet LAN or USB. 2024-02-17 not yet calculated CVE-2024-22727
cve@mitre.org
tenda — ac21 A stack overflow vulnerability in Tenda AC21 with firmware version US_AC21V1.0re_V16.03.08.15_cn_TDC01 allows attackers to run arbitrary commands via crafted POST request to /goform/openSchedWifi. 2024-02-21 not yet calculated CVE-2023-24333
cve@mitre.org
tenda — ac23 A stack overflow vulnerability in Tenda AC23 with firmware version US_AC23V1.0re_V16.03.07.45_cn_TDC01 allows attackers to run arbitrary commands via schedStartTime parameter. 2024-02-21 not yet calculated CVE-2023-24334
cve@mitre.org
tenda — ac6 A stack overflow vulnerability in Tenda AC6 with firmware version US_AC6V5.0re_V03.03.02.01_cn_TDC01 allows attackers to run arbitrary commands via crafted POST request to /goform/PowerSaveSet. 2024-02-21 not yet calculated CVE-2023-24332
cve@mitre.org
tenda — ac9 Stack Based Buffer Overflow vulnerability in Tenda AC9 v.3.0 with firmware version v.15.03.06.42_multi allows a remote attacker to execute arbitrary code via the add_white_node function. 2024-02-22 not yet calculated CVE-2024-25746
cve@mitre.org
tenda — ac9 A Stack Based Buffer Overflow vulnerability in tenda AC9 AC9 v.3.0 with firmware version v.15.03.06.42_multi allows a remote attacker to execute arbitrary code via the fromSetIpMacBind function. 2024-02-22 not yet calculated CVE-2024-25748
cve@mitre.org
tenda — ac9 Stack Based Buffer Overflow vulnerability in Tenda AC9 v.3.0 with firmware version v.15.03.06.42_multi allows a remote attacker to execute arbitrary code via the formSetDeviceName function. 2024-02-22 not yet calculated CVE-2024-25753
cve@mitre.org
tenda — ac9 A Stack Based Buffer Overflow vulnerability in Tenda AC9 v.3.0 with firmware version v.15.03.06.42_multi allows a remote attacker to execute arbitrary code via the formWifiBasicSet function. 2024-02-22 not yet calculated CVE-2024-25756
cve@mitre.org
tenda — tx9,ax3,ax9,ax12 An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22.03.02.54, Tenda AX3 V3 V16.03.12.11, Tenda AX9 V1 V22.03.01.46, and Tenda AX12 V1 V22.03.01.46 allows attackers to bypass authentication on any endpoint via a crafted URL. 2024-02-20 not yet calculated CVE-2023-47422
cve@mitre.org
terminalfour — terminalfour An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview. 2024-02-21 not yet calculated CVE-2024-22220
cve@mitre.org
cve@mitre.org
terrasoft — creatio_terrasoft_crm Directory Traversal vulnerability in Terrasoft, Creatio Terrasoft CRM v.7.18.4.1532 allows a remote attacker to obtain sensitive information via a crafted request to the terrasoft.axd component. 2024-02-21 not yet calculated CVE-2024-25461
cve@mitre.org
cve@mitre.org
timo — timo An issue in Timo v.2.0.3 allows a remote attacker to execute arbitrary code via the filetype restrictions in the UploadController.java component. 2024-02-20 not yet calculated CVE-2024-22824
cve@mitre.org
tongda — office_anywhere Tongda OA v2017 and up to v11.9 was discovered to contain a SQL injection vulnerability via the $AFF_ID parameter at /affair/delete.php. 2024-02-16 not yet calculated CVE-2024-25320
cve@mitre.org
totoline — x5000r An issue in TOTOLINK X5000R V.9.1.0u.6369_B20230113 allows a remote attacker to cause a denial of service via the host_time parameter of the NTPSyncWithHost component. 2024-02-17 not yet calculated CVE-2024-25468
cve@mitre.org
ubiquiti_inc — unifi_access_points A malformed discovery packet sent by a malicious actor with preexisting access to the network could interrupt the functionality of device management and discovery. Affected Products: UniFi Access Points UniFi Switches UniFi LTE Backup UniFi Express (Only Mesh Mode, Router mode is not affected) Mitigation: Update UniFi Access Points to Version 6.6.65 or later. Update UniFi Switches to Version 6.6.61 or later. Update UniFi LTE Backup to Version 6.6.57 or later. Update UniFi Express to Version 3.2.5 or later. 2024-02-20 not yet calculated CVE-2024-22054
support@hackerone.com
unisys — stealth An issue discovered in Unisys Stealth 5.3.062.0 allows attackers to view sensitive information via the Enterprise ManagementInstaller_msi.log file. 2024-02-20 not yet calculated CVE-2024-23758
cve@mitre.org
unknown — socialdriver The SocialDriver WordPress theme before version 2024 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting (XSS) attack. 2024-02-23 not yet calculated CVE-2023-4826
contact@wpscan.com
contact@wpscan.com
wayos — ibr-7150 WayOS IBR-7150 <17.06.23 is vulnerable to Cross Site Scripting (XSS). 2024-02-22 not yet calculated CVE-2024-22547
cve@mitre.org
wireshark — wireshark A buffer overflow in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the pan/addr_resolv.c, and ws_manuf_lookup_str(), size components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. 2024-02-21 not yet calculated CVE-2024-24476
cve@mitre.org
cve@mitre.org
cve@mitre.org
wireshark — wireshark An issue in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the packet-bgp.c, dissect_bgp_open(tvbuff_t*tvb, proto_tree*tree, packet_info*pinfo), optlen components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. 2024-02-21 not yet calculated CVE-2024-24478
cve@mitre.org
cve@mitre.org
cve@mitre.org
wireshark — wireshark A Buffer Overflow in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the wsutil/to_str.c, and format_fractional_part_nsecs components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. 2024-02-21 not yet calculated CVE-2024-24479
cve@mitre.org
cve@mitre.org
yealink — configuration_encrypt_tool Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary. 2024-02-20 not yet calculated CVE-2022-48625
cve@mitre.org
yealink — configuration_encrypt_tool Insecure AES key in Yealink Configuration Encrypt Tool below verrsion 1.2. A single, vendorwide, hardcoded AES key in the configuration tool used to encrypt provisioning documents was leaked leading to a compromise of confidentiality of provisioning documents. 2024-02-23 not yet calculated CVE-2024-24681
cve@mitre.org
yetiforcecompany — yetiforcecrm Directory Traversal vulnerability in YetiForceCompany YetiForceCRM versions 6.4.0 and before allows a remote authenticated attacker to obtain sensitive information via the license parameter in the LibraryLicense.php component. 2024-02-16 not yet calculated CVE-2023-49508
cve@mitre.org
cve@mitre.org
cve@mitre.org
zkteco — zkbio_wdms An issue in zkteco zkbio WDMS v.8.0.5 allows an attacker to execute arbitrary code via the /files/backup/ component. 2024-02-23 not yet calculated CVE-2024-22988
cve@mitre.org
cve@mitre.org

Back to top