Latest vulnerabilities [Thursday, February 22, 2024]

Latest vulnerabilities [Thursday, February 22, 2024]
{{titre}}

Last update performed on 02/22/2024 at 11:57:07 PM

(3) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : github.com

Vulnerability ID : CVE-2023-51388

First published on : 22-02-2024 16:15:53
Last modified on : 22-02-2024 19:07:27

Description :
Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability.

CVE ID : CVE-2023-51388
Source : security-advisories@github.com
CVSS Score : 9.8

References :
https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2 | source : security-advisories@github.com
https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj | source : security-advisories@github.com

Vulnerability : CWE-74


Vulnerability ID : CVE-2023-51389

First published on : 22-02-2024 16:15:53
Last modified on : 22-02-2024 19:07:27

Description :
Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.

CVE ID : CVE-2023-51389
Source : security-advisories@github.com
CVSS Score : 9.8

References :
https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 | source : security-advisories@github.com
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 | source : security-advisories@github.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-51653

First published on : 22-02-2024 16:15:53
Last modified on : 22-02-2024 19:07:27

Description :
Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The corresponding interface is `/api/monitor/detect`. If there is a URL field, the address will be used by default. When the URL is `service:jmx:rmi:///jndi/rmi://xxxxxxx:1099/localHikari`, it can be exploited to cause remote code execution. Version 1.4.1 contains a fix for this issue.

CVE ID : CVE-2023-51653
Source : security-advisories@github.com
CVSS Score : 9.8

References :
https://github.com/dromara/hertzbeat/commit/f794b0d82be49c596c04a042976446559eb315ef | source : security-advisories@github.com
https://github.com/dromara/hertzbeat/security/advisories/GHSA-gcmp-vf6v-59gg | source : security-advisories@github.com

Vulnerability : CWE-74


(10) HIGH VULNERABILITIES [7.0, 8.9]

Source : fortinet.com

Vulnerability ID : CVE-2023-29181

First published on : 22-02-2024 10:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A use of externally-controlled format string in Fortinet FortiOS 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.4, 7.0.0 through 7.0.10, 2.0.0 through 2.0.12, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiPAM 1.0.0 through 1.0.3 allows attacker to execute unauthorized code or commands via specially crafted command.

CVE ID : CVE-2023-29181
Source : psirt@fortinet.com
CVSS Score : 8.8

References :
https://fortiguard.com/psirt/FG-IR-23-119 | source : psirt@fortinet.com

Vulnerability : CWE-134


Vulnerability ID : CVE-2023-29180

First published on : 22-02-2024 10:15:07
Last modified on : 22-02-2024 19:07:27

Description :
A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.3, 7.0.0 through 7.0.10, 2.0.0 through 2.0.12, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to denial of service via specially crafted HTTP requests.

CVE ID : CVE-2023-29180
Source : psirt@fortinet.com
CVSS Score : 7.5

References :
https://fortiguard.com/psirt/FG-IR-23-111 | source : psirt@fortinet.com

Vulnerability : CWE-476


Source : gitlab.com

Vulnerability ID : CVE-2024-1451

First published on : 22-02-2024 00:15:52
Last modified on : 22-02-2024 19:07:27

Description :
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.1. A crafted payload added to the user profile page could lead to a stored XSS on the client side, allowing attackers to perform arbitrary actions on behalf of victims."

CVE ID : CVE-2024-1451
Source : cve@gitlab.com
CVSS Score : 8.7

References :
https://gitlab.com/gitlab-org/gitlab/-/issues/441457 | source : cve@gitlab.com
https://hackerone.com/reports/2371126 | source : cve@gitlab.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-0410

First published on : 22-02-2024 00:15:51
Last modified on : 22-02-2024 19:07:27

Description :
An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict.

CVE ID : CVE-2024-0410
Source : cve@gitlab.com
CVSS Score : 7.7

References :
https://gitlab.com/gitlab-org/gitlab/-/issues/437988 | source : cve@gitlab.com
https://hackerone.com/reports/2296778 | source : cve@gitlab.com

Vulnerability : CWE-284


Source : us.ibm.com

Vulnerability ID : CVE-2024-25021

First published on : 22-02-2024 12:15:46
Last modified on : 22-02-2024 19:07:27

Description :
IBM AIX 7.3, VIOS 4.1's Perl implementation could allow a non-privileged local user to exploit a vulnerability to execute arbitrary commands. IBM X-Force ID: 281320.

CVE ID : CVE-2024-25021
Source : psirt@us.ibm.com
CVSS Score : 8.4

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/281320 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7122628 | source : psirt@us.ibm.com


Source : ch.abb.com

Vulnerability ID : CVE-2024-0220

First published on : 22-02-2024 11:15:08
Last modified on : 22-02-2024 19:07:27

Description :
B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data. Missing Encryption of Sensitive Data, Cleartext Transmission of Sensitive Information, Improper Control of Generation of Code ('Code Injection'), Inadequate Encryption Strength vulnerability in B&R Industrial Automation B&R Automation Studio (Upgrade Service modules), B&R Industrial Automation Technology Guarding.This issue affects B&R Automation Studio: <4.6; Technology Guarding: <1.4.0.

CVE ID : CVE-2024-0220
Source : cybersecurity@ch.abb.com
CVSS Score : 8.3

References :
https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_Service_uses_insufficient_encryption.pdf-1b3b181c.pdf | source : cybersecurity@ch.abb.com

Vulnerability : CWE-311
Vulnerability : CWE-319
Vulnerability : CWE-326
Vulnerability : CWE-94


Source : github.com

Vulnerability ID : CVE-2024-26151

First published on : 22-02-2024 19:15:09
Last modified on : 22-02-2024 19:15:09

Description :
The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `&lt;script&gt;` would be rendered as `<script>` in the final HTML output. The attacker must be able to control some data which is later injected in an mjml template which is then send out as email to other users. The attacker could control contents of email messages sent through the platform. The problem has been fixed in version 0.11.0 of this library. Versions before 0.10.0 are not affected by this security issue. As a workaround, ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML.

CVE ID : CVE-2024-26151
Source : security-advisories@github.com
CVSS Score : 8.2

References :
https://github.com/FelixSchwarz/mjml-python/commit/84c495da20a91640a1ca551ace17df7f3be644aa | source : security-advisories@github.com
https://github.com/FelixSchwarz/mjml-python/commit/8d410b7a500703080bb14ed7e3d2663fe16767e6 | source : security-advisories@github.com
https://github.com/FelixSchwarz/mjml-python/issues/52 | source : security-advisories@github.com
https://github.com/FelixSchwarz/mjml-python/releases/tag/v0.11.0 | source : security-advisories@github.com
https://github.com/FelixSchwarz/mjml-python/security/advisories/GHSA-578p-fxmm-6229 | source : security-advisories@github.com

Vulnerability : CWE-20


Source : cert.vde.com

Vulnerability ID : CVE-2024-1104

First published on : 22-02-2024 12:15:46
Last modified on : 22-02-2024 19:07:27

Description :
An unauthenticated remote attacker can bypass the brute force prevention mechanism and disturb the webservice for all users.

CVE ID : CVE-2024-1104
Source : info@cert.vde.com
CVSS Score : 7.5

References :
https://www.areal-topkapi.com/en/services/security-bulletins | source : info@cert.vde.com

Vulnerability : CWE-307


Source : redhat.com

Vulnerability ID : CVE-2023-3966

First published on : 22-02-2024 13:15:07
Last modified on : 22-02-2024 19:07:27

Description :
A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled.

CVE ID : CVE-2023-3966
Source : secalert@redhat.com
CVSS Score : 7.5

References :
https://access.redhat.com/security/cve/CVE-2023-3966 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2178363 | source : secalert@redhat.com

Vulnerability : CWE-248


Source : mitre.org

Vulnerability ID : CVE-2024-27283

First published on : 22-02-2024 05:15:10
Last modified on : 22-02-2024 19:07:27

Description :
A vulnerability was discovered in Veritas eDiscovery Platform before 10.2.5. The application administrator can upload potentially malicious files to arbitrary locations on the server on which the application is installed.

CVE ID : CVE-2024-27283
Source : cve@mitre.org
CVSS Score : 7.2

References :
https://www.veritas.com/support/en_US/security/VTS23-020 | source : cve@mitre.org


(15) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : gitlab.com

Vulnerability ID : CVE-2023-6477

First published on : 22-02-2024 00:15:51
Last modified on : 22-02-2024 19:07:27

Description :
An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation.

CVE ID : CVE-2023-6477
Source : cve@gitlab.com
CVSS Score : 6.7

References :
https://gitlab.com/gitlab-org/gitlab/-/issues/433463 | source : cve@gitlab.com
https://hackerone.com/reports/2270898 | source : cve@gitlab.com

Vulnerability : CWE-269


Vulnerability ID : CVE-2024-1525

First published on : 22-02-2024 00:15:52
Last modified on : 22-02-2024 19:07:27

Description :
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP.

CVE ID : CVE-2024-1525
Source : cve@gitlab.com
CVSS Score : 5.3

References :
https://gitlab.com/gitlab-org/gitlab/-/issues/438144 | source : cve@gitlab.com

Vulnerability : CWE-284


Vulnerability ID : CVE-2024-0861

First published on : 22-02-2024 00:15:51
Last modified on : 22-02-2024 19:07:27

Description :
An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions.

CVE ID : CVE-2024-0861
Source : cve@gitlab.com
CVSS Score : 4.3

References :
https://gitlab.com/gitlab-org/gitlab/-/issues/439240 | source : cve@gitlab.com
https://hackerone.com/reports/2316435 | source : cve@gitlab.com

Vulnerability : CWE-285


Vulnerability ID : CVE-2023-4895

First published on : 22-02-2024 01:15:07
Last modified on : 22-02-2024 19:07:27

Description :
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access environment details of projects

CVE ID : CVE-2023-4895
Source : cve@gitlab.com
CVSS Score : 4.3

References :
https://gitlab.com/gitlab-org/gitlab/-/issues/424766 | source : cve@gitlab.com
https://hackerone.com/reports/2134787 | source : cve@gitlab.com

Vulnerability : CWE-284


Source : fortinet.com

Vulnerability ID : CVE-2023-29179

First published on : 22-02-2024 10:15:07
Last modified on : 22-02-2024 19:07:27

Description :
A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, Fortiproxy version 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 allows attacker to denial of service via specially crafted HTTP requests.

CVE ID : CVE-2023-29179
Source : psirt@fortinet.com
CVSS Score : 6.5

References :
https://fortiguard.com/psirt/FG-IR-23-125 | source : psirt@fortinet.com

Vulnerability : CWE-476


Source : github.com

Vulnerability ID : CVE-2023-44379

First published on : 22-02-2024 15:15:08
Last modified on : 22-02-2024 19:07:27

Description :
baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the site search feature. Version 5.0.9 contains a fix for this vulnerability.

CVE ID : CVE-2023-44379
Source : security-advisories@github.com
CVSS Score : 6.1

References :
https://basercms.net/security/JVN_73283159 | source : security-advisories@github.com
https://github.com/baserproject/basercms/commit/18549396e5a9b8294306a54a876af164b0b57da4 | source : security-advisories@github.com
https://github.com/baserproject/basercms/security/advisories/GHSA-66c2-p8rh-qx87 | source : security-advisories@github.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51450

First published on : 22-02-2024 15:15:08
Last modified on : 22-02-2024 19:07:27

Description :
baserCMS is a website development framework. Prior to version 5.0.9, there is an OS Command Injection vulnerability in the site search feature of baserCMS. Version 5.0.9 contains a fix for this vulnerability.

CVE ID : CVE-2023-51450
Source : security-advisories@github.com
CVSS Score : 5.6

References :
https://basercms.net/security/JVN_09767360 | source : security-advisories@github.com
https://github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601c | source : security-advisories@github.com
https://github.com/baserproject/basercms/security/advisories/GHSA-77fc-4cv5-hmfr | source : security-advisories@github.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-25130

First published on : 22-02-2024 19:15:08
Last modified on : 22-02-2024 19:15:08

Description :
Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue.

CVE ID : CVE-2024-25130
Source : security-advisories@github.com
CVSS Score : 5.4

References :
https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667 | source : security-advisories@github.com
https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5 | source : security-advisories@github.com
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667 | source : security-advisories@github.com
https://tuleap.net/plugins/tracker/?aid=36803 | source : security-advisories@github.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-26128

First published on : 22-02-2024 19:15:09
Last modified on : 22-02-2024 19:15:09

Description :
baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability.

CVE ID : CVE-2024-26128
Source : security-advisories@github.com
CVSS Score : 5.4

References :
https://basercms.net/security/JVN_73283159 | source : security-advisories@github.com
https://github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601c | source : security-advisories@github.com
https://github.com/baserproject/basercms/security/advisories/GHSA-jjxq-m8h3-4vw5 | source : security-advisories@github.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-26152

First published on : 22-02-2024 22:15:47
Last modified on : 22-02-2024 22:15:47

Description :
### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability. ### Details Need permission to use the "data import" function. This was reproduced on Label Studio 1.10.1. ### PoC 1. Create a project. ![Create a project](https://github.com/HumanSignal/label-studio/assets/3943358/9b1536ad-feac-4238-a1bd-ca9b1b798673) 2. Upload a file containing the payload using the "Upload Files" function. ![2 Upload a file containing the payload using the Upload Files function](https://github.com/HumanSignal/label-studio/assets/3943358/26bb7af1-1cd2-408f-9adf-61e31a5b7328) ![3 complete](https://github.com/HumanSignal/label-studio/assets/3943358/f2f62774-1fa6-4456-9e6f-8fa1ca0a2d2e) The following are the contents of the files used in the PoC ``` { "data": { "prompt": "labelstudio universe image", "images": [ { "value": "id123#0", "style": "margin: 5px", "html": "<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>" } ] } } ``` 3. Select the text-to-image generation labeling template of Ranking and scoring ![3 Select the text-to-image generation labelling template for Ranking and scoring](https://github.com/HumanSignal/label-studio/assets/3943358/f227f49c-a718-4738-bc2a-807da4f97155) ![5 save](https://github.com/HumanSignal/label-studio/assets/3943358/9b529f8a-8e99-4bb0-bdf6-bb7a95c9b75d) 4. Select a task ![4 Select a task](https://github.com/HumanSignal/label-studio/assets/3943358/71856b7a-2b1f-44ea-99ab-fc48bc20caa7) 5. Check that the script is running ![5 Check that the script is running](https://github.com/HumanSignal/label-studio/assets/3943358/e396ae7b-a591-4db7-afe9-5bab30b48cb9) ### Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.

CVE ID : CVE-2024-26152
Source : security-advisories@github.com
CVSS Score : 4.7

References :
https://github.com/HumanSignal/label-studio/commit/5df9ae3828b98652e9fa290a19f4deedf51ef6c8 | source : security-advisories@github.com
https://github.com/HumanSignal/label-studio/pull/5232 | source : security-advisories@github.com
https://github.com/HumanSignal/label-studio/releases/tag/1.11.0 | source : security-advisories@github.com
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6xv9-957j-qfhg | source : security-advisories@github.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24817

First published on : 22-02-2024 18:15:48
Last modified on : 22-02-2024 19:07:27

Description :
Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs (private messages) can be retrieved by anyone, even if they're not logged in. This problem is resolved in version 0.4 of the discourse-calendar plugin. While no known workaround is available, putting the site behind `login_required` will disallow this endpoint to be used by anonymous users, but logged in users can still get the list of invitees in the private topics.

CVE ID : CVE-2024-24817
Source : security-advisories@github.com
CVSS Score : 4.3

References :
https://github.com/discourse/discourse-calendar/commit/84ef46a38cf02748ecacad16c5d9c6fec12dc8da | source : security-advisories@github.com
https://github.com/discourse/discourse-calendar/security/advisories/GHSA-wwq5-g5cp-c69f | source : security-advisories@github.com

Vulnerability : CWE-200


Source : vuldb.com

Vulnerability ID : CVE-2024-1750

First published on : 22-02-2024 20:15:56
Last modified on : 22-02-2024 20:15:56

Description :
A vulnerability, which was classified as critical, was found in TemmokuMVC up to 2.3. Affected is the function get_img_url/img_replace in the library lib/images_get_down.php of the component Image Download Handler. The manipulation leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254532. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1750
Source : cna@vuldb.com
CVSS Score : 5.6

References :
https://note.zhaoj.in/share/OrBH8zLKUPOA | source : cna@vuldb.com
https://vuldb.com/?ctiid.254532 | source : cna@vuldb.com
https://vuldb.com/?id.254532 | source : cna@vuldb.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-1748

First published on : 22-02-2024 20:15:56
Last modified on : 22-02-2024 20:15:56

Description :
A vulnerability classified as critical was found in van_der_Schaar LAB AutoPrognosis 0.1.21. This vulnerability affects the function load_model_from_file of the component Release Note Handler. The manipulation leads to deserialization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-254530 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1748
Source : cna@vuldb.com
CVSS Score : 5.0

References :
https://github.com/bayuncao/vul-cve-13 | source : cna@vuldb.com
https://vuldb.com/?ctiid.254530 | source : cna@vuldb.com
https://vuldb.com/?id.254530 | source : cna@vuldb.com

Vulnerability : CWE-502


Source : wordfence.com

Vulnerability ID : CVE-2024-0903

First published on : 22-02-2024 06:15:57
Last modified on : 22-02-2024 19:07:27

Description :
The User Feedback โ€“ Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_submitted' 'link' value in all versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the feedback submission page that will execute when a user clicks the link, while also pressing the command key.

CVE ID : CVE-2024-0903
Source : security@wordfence.com
CVSS Score : 5.4

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3038797%40userfeedback-lite&new=3038797%40userfeedback-lite&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/a649fbea-65cf-45c9-b853-2733f27518af?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1053

First published on : 22-02-2024 06:15:57
Last modified on : 22-02-2024 19:07:27

Description :
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.

CVE ID : CVE-2024-1053
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3038150/event-tickets/tags/5.8.2/src/Tickets/Commerce/Reports/Attendees.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7839847-2637-4a0d-bfc1-5f80b8433e24?source=cve | source : security@wordfence.com


(2) LOW VULNERABILITIES [0.1, 3.9]

Source : github.com

Vulnerability ID : CVE-2024-25129

First published on : 22-02-2024 19:15:08
Last modified on : 22-02-2024 19:15:08

Description :
The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to an URL that contains material read from a local file chosen by the attacker. This may result in a loss of privacy of exfiltration of secrets. Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted. A single untrusted `.ql` or `.qll` file cannot be affected, but a zip archive or tarball containing QL sources may unpack auxiliary files that will trigger an attack when CodeQL sees them in the file system. Those using CodeQL for routine analysis of source trees with a preselected set of trusted queries are not affected. In particular, extracting XML files from a source tree into the CodeQL database does not make one vulnerable. The problem is fixed in release 2.16.3 of the CodeQL CLI. Other than upgrading, workarounds include not accepting CodeQL databases or queries from untrusted sources, or only processing such material on a machine without an Internet connection. Customers who use older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons can continue using that version. That use case is safe. If such customers have a private query pack and use the `codeql pack create` command to precompile them before using them in the CI system, they should be using the production CodeQL release to run `codeql pack create`. That command is safe as long as the QL source it precompiled is trusted. All other development of the query pack should use an upgraded CLI.

CVE ID : CVE-2024-25129
Source : security-advisories@github.com
CVSS Score : 2.7

References :
https://github.com/github/codeql-cli-binaries/releases/tag/v2.16.3 | source : security-advisories@github.com
https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph | source : security-advisories@github.com
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXELocal.ql | source : security-advisories@github.com

Vulnerability : CWE-611


Source : vuldb.com

Vulnerability ID : CVE-2024-1749

First published on : 22-02-2024 20:15:56
Last modified on : 22-02-2024 20:15:56

Description :
A vulnerability, which was classified as problematic, has been found in Bdtask Bhojon Best Restaurant Management Software 2.9. This issue affects some unknown processing of the file /dashboard/message of the component Message Page. The manipulation of the argument Title leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254531. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1749
Source : cna@vuldb.com
CVSS Score : 2.4

References :
https://drive.google.com/file/d/1oM1h3E9G17lgkbSnhq7FQjfAtEojDNFo/view?usp=sharing | source : cna@vuldb.com
https://vuldb.com/?ctiid.254531 | source : cna@vuldb.com
https://vuldb.com/?id.254531 | source : cna@vuldb.com

Vulnerability : CWE-79


(76) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : autodesk.com

Vulnerability ID : CVE-2024-0446

First published on : 22-02-2024 00:15:51
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted STP, CATPART or MODEL file when parsed in ASMKERN228A.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process.

CVE ID : CVE-2024-0446
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-787


Vulnerability ID : CVE-2024-23120

First published on : 22-02-2024 00:15:52
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted STP file when parsed in ASMIMPORT228A.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process.

CVE ID : CVE-2024-23120
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-787


Vulnerability ID : CVE-2024-23121

First published on : 22-02-2024 02:15:49
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted MODEL file when parsed in libodxdll.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process.

CVE ID : CVE-2024-23121
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-787


Vulnerability ID : CVE-2024-23122

First published on : 22-02-2024 02:15:49
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted 3DM file when parsed in opennurbs.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process.

CVE ID : CVE-2024-23122
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-787


Vulnerability ID : CVE-2024-23123

First published on : 22-02-2024 02:15:49
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted CATPART file when parsed in CC5Dll.dll and ASMBASE228A.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process.

CVE ID : CVE-2024-23123
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-787


Vulnerability ID : CVE-2024-23124

First published on : 22-02-2024 03:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted STP file when parsed in ASMIMPORT228A.dll through Autodesk AutoCAD can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process.

CVE ID : CVE-2024-23124
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-787


Vulnerability ID : CVE-2024-23125

First published on : 22-02-2024 03:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted SLDPRT file when parsed ODXSW_DLL.dll through Autodesk AutoCAD can be used to cause a Stack-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.

CVE ID : CVE-2024-23125
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-23126

First published on : 22-02-2024 03:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted CATPART file when parsed CC5Dll.dll through Autodesk AutoCAD can be used to cause a Stack-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.

CVE ID : CVE-2024-23126
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-23127

First published on : 22-02-2024 03:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted MODEL, SLDPRT or SLDASM file when parsed VCRUNTIME140.dll through Autodesk AutoCAD can be used to cause a Heap-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.

CVE ID : CVE-2024-23127
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-122


Vulnerability ID : CVE-2024-23128

First published on : 22-02-2024 04:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted MODEL file in libodxdll.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

CVE ID : CVE-2024-23128
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23129

First published on : 22-02-2024 04:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted MODEL 3DM, STP or SLDASM files in opennurbs.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

CVE ID : CVE-2024-23129
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23130

First published on : 22-02-2024 04:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted SLDASM, or SLDPRT files in ODXSW_DLL.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

CVE ID : CVE-2024-23130
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23131

First published on : 22-02-2024 04:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted STP file in ASMKERN228A.dll or ASMDATAX228A.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

CVE ID : CVE-2024-23131
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23132

First published on : 22-02-2024 04:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted STP file in atf_dwg_consumer.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

CVE ID : CVE-2024-23132
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23133

First published on : 22-02-2024 04:15:08
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted STP file in ASMDATAX228A.dll when parsed through Autodesk AutoCAD could lead to a memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

CVE ID : CVE-2024-23133
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23134

First published on : 22-02-2024 05:15:09
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted IGS file when tbb.dll parsed through Autodesk AutoCAD can be used in user-after-free vulnerability. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.

CVE ID : CVE-2024-23134
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-416


Vulnerability ID : CVE-2024-23135

First published on : 22-02-2024 05:15:09
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted SLDPRT file when ASMkern228A.dll parsed through Autodesk AutoCAD can be used in user-after-free vulnerability. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.

CVE ID : CVE-2024-23135
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-416


Vulnerability ID : CVE-2024-23136

First published on : 22-02-2024 05:15:09
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted STP file when ASMKERN228A.dll parsed through Autodesk AutoCAD can be used to dereference an untrusted pointer. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.

CVE ID : CVE-2024-23136
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-822


Vulnerability ID : CVE-2024-23137

First published on : 22-02-2024 05:15:09
Last modified on : 22-02-2024 19:07:27

Description :
A maliciously crafted STP or SLDPRT file when ODXSW_DLL.dll parsed through Autodesk AutoCAD can be used to uninitialized variable. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.

CVE ID : CVE-2024-23137
Source : psirt@autodesk.com
CVSS Score : /

References :
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 | source : psirt@autodesk.com

Vulnerability : CWE-457


Source : mitre.org

Vulnerability ID : CVE-2024-25251

First published on : 22-02-2024 01:15:08
Last modified on : 22-02-2024 19:07:27

Description :
code-projects Agro-School Management System 1.0 is suffers from Incorrect Access Control.

CVE ID : CVE-2024-25251
Source : cve@mitre.org
CVSS Score : /

References :
https://code-projects.org/agro-school-management-system-in-php-with-source-code/ | source : cve@mitre.org
https://github.com/ASR511-OO7/CVE-2024-25251/blob/main/CVE-17 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25423

First published on : 22-02-2024 01:15:08
Last modified on : 22-02-2024 19:07:27

Description :
An issue in MAXON CINEMA 4D R2024.2.0 allows a local attacker to execute arbitrary code via a crafted c4d_base.xdl64 file.

CVE ID : CVE-2024-25423
Source : cve@mitre.org
CVSS Score : /

References :
http://cinema.com | source : cve@mitre.org
http://maxon.com | source : cve@mitre.org
https://github.com/DriverUnload/cve-2024-25423 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25801

First published on : 22-02-2024 05:15:09
Last modified on : 22-02-2024 19:07:27

Description :
SKINsoft S-Museum 7.02.3 allows XSS via the filename of an uploaded file. Unlike in CVE-2024-25802, the attack payload is in the name (not the content) of a file.

CVE ID : CVE-2024-25801
Source : cve@mitre.org
CVSS Score : /

References :
https://shrouded-trowel-50c.notion.site/S-Museum-Version-7-02-3-Stored-Cross-Site-Scripting-69ca7b8805cc448ea12cb8f7ed571fa3?pvs=4 | source : cve@mitre.org


Vulnerability ID : CVE-2024-26481

First published on : 22-02-2024 05:15:09
Last modified on : 22-02-2024 19:07:27

Description :
Kirby CMS v4.1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the URL parameter.

CVE ID : CVE-2024-26481
Source : cve@mitre.org
CVSS Score : /

References :
https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Self-Cross-Site-Scripting-d877183d20af49f8a8f58554bc06d51c?pvs=4 | source : cve@mitre.org


Vulnerability ID : CVE-2024-26482

First published on : 22-02-2024 05:15:09
Last modified on : 22-02-2024 19:07:27

Description :
An HTML injection vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted payload.

CVE ID : CVE-2024-26482
Source : cve@mitre.org
CVSS Score : /

References :
https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-HTML-Injection-19ca19686d0a4533ab4b0c53fc977eef?pvs=4 | source : cve@mitre.org


Vulnerability ID : CVE-2024-26483

First published on : 22-02-2024 05:15:09
Last modified on : 22-02-2024 19:07:27

Description :
An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.

CVE ID : CVE-2024-26483
Source : cve@mitre.org
CVSS Score : /

References :
https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Unrestricted-File-Upload-dc60ce3132f04442b73f2dba2631fae0?pvs=4 | source : cve@mitre.org


Vulnerability ID : CVE-2024-26484

First published on : 22-02-2024 05:15:10
Last modified on : 22-02-2024 19:07:27

Description :
A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link field.

CVE ID : CVE-2024-26484
Source : cve@mitre.org
CVSS Score : /

References :
https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Stored-Cross-Site-Scripting-153b4eb557a2488188ad8167734ca226?pvs=4 | source : cve@mitre.org


Vulnerability ID : CVE-2024-26489

First published on : 22-02-2024 06:15:57
Last modified on : 22-02-2024 19:07:27

Description :
A cross-site scripting (XSS) vulnerability in the Addon JD Flusity 'Social block links' module of flusity-CMS v2.33 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Profile Name text field.

CVE ID : CVE-2024-26489
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/2111715623/cms/blob/main/3.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-26490

First published on : 22-02-2024 06:15:57
Last modified on : 22-02-2024 19:07:27

Description :
A cross-site scripting (XSS) vulnerability in the Addon JD Simple module of flusity-CMS v2.33 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title text field.

CVE ID : CVE-2024-26490
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/2111715623/cms/blob/main/2.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-26491

First published on : 22-02-2024 06:15:57
Last modified on : 22-02-2024 19:07:27

Description :
A cross-site scripting (XSS) vulnerability in the Addon JD Flusity 'Media Gallery with description' module of flusity-CMS v2.33 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Gallery name text field.

CVE ID : CVE-2024-26491
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/2111715623/cms/blob/main/1.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-23094

First published on : 22-02-2024 14:15:46
Last modified on : 22-02-2024 19:07:27

Description :
Flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /cover/addons/info_media_gallery/action/edit_addon_post.php

CVE ID : CVE-2024-23094
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/TinkAnet/cve/blob/main/csrf3.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25873

First published on : 22-02-2024 14:15:46
Last modified on : 22-02-2024 19:07:27

Description :
Enhavo v0.13.1 was discovered to contain an HTML injection vulnerability in the Author text field under the Blockquote module. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

CVE ID : CVE-2024-25873
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/dd3x3r/enhavo/blob/main/html-injection-page-content-blockquote-author-v0.13.1.md | source : cve@mitre.org
https://www.enhavo.com/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-25874

First published on : 22-02-2024 14:15:46
Last modified on : 22-02-2024 19:07:27

Description :
A cross-site scripting (XSS) vulnerability in the New/Edit Article module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Create Tag text field.

CVE ID : CVE-2024-25874
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/dd3x3r/enhavo/blob/main/xss-create-tag-v0.13.1.md | source : cve@mitre.org
https://www.enhavo.com/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-25875

First published on : 22-02-2024 14:15:46
Last modified on : 22-02-2024 19:07:27

Description :
A cross-site scripting (XSS) vulnerability in the Header module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Undertitle text field.

CVE ID : CVE-2024-25875
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/dd3x3r/enhavo/blob/main/xss-page-content-header-undertitel-v0.13.1.md | source : cve@mitre.org
https://www.enhavo.com/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-25876

First published on : 22-02-2024 14:15:47
Last modified on : 22-02-2024 19:07:27

Description :
A cross-site scripting (XSS) vulnerability in the Header module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title text field.

CVE ID : CVE-2024-25876
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/dd3x3r/enhavo/blob/main/xss-page-content-header-titel-v0.13.1.md | source : cve@mitre.org
https://www.enhavo.com/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-26349

First published on : 22-02-2024 14:15:47
Last modified on : 22-02-2024 19:07:27

Description :
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/delete_translation.php

CVE ID : CVE-2024-26349
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Icycu123/cms/blob/main/1.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-26350

First published on : 22-02-2024 14:15:47
Last modified on : 22-02-2024 19:07:27

Description :
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/update_contact_form_settings.php

CVE ID : CVE-2024-26350
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Icycu123/cms/blob/main/2.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-26351

First published on : 22-02-2024 14:15:47
Last modified on : 22-02-2024 19:07:27

Description :
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/update_place.php

CVE ID : CVE-2024-26351
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Icycu123/cms/blob/main/4.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-26352

First published on : 22-02-2024 14:15:47
Last modified on : 22-02-2024 19:07:27

Description :
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/add_places.php

CVE ID : CVE-2024-26352
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Icycu123/cms/blob/main/3.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-26445

First published on : 22-02-2024 14:15:47
Last modified on : 22-02-2024 19:07:27

Description :
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/delete_place.php

CVE ID : CVE-2024-26445
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/xiaolanjing0/cms/blob/main/1.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25850

First published on : 22-02-2024 15:15:08
Last modified on : 22-02-2024 19:07:27

Description :
Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the wps_ap_ssid5g parameter

CVE ID : CVE-2024-25850
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/no1rr/Vulnerability/blob/master/netis/igd_wps_set_wps_ap_ssid5g.md | source : cve@mitre.org
https://www.netis-systems.com/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-25851

First published on : 22-02-2024 15:15:08
Last modified on : 22-02-2024 19:07:27

Description :
Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the config_sequence parameter in other_para of cgitest.cgi.

CVE ID : CVE-2024-25851
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/no1rr/Vulnerability/blob/master/netis/igd_wps_set_wps_ap_ssid5g.md | source : cve@mitre.org
https://www.netis-systems.com/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-25828

First published on : 22-02-2024 16:15:54
Last modified on : 22-02-2024 19:07:27

Description :
cmseasy V7.7.7.9 has an arbitrary file deletion vulnerability in lib/admin/template_admin.php.

CVE ID : CVE-2024-25828
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/sec-Kode/cve | source : cve@mitre.org


Vulnerability ID : CVE-2023-52160

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.

CVE ID : CVE-2023-52160
Source : cve@mitre.org
CVSS Score : /

References :
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c | source : cve@mitre.org
https://www.top10vpn.com/research/wifi-vulnerabilities/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-52161

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
The Access Point functionality in eapol_auth_key_handle in eapol.c in iNet wireless daemon (IWD) before 2.14 allows attackers to gain unauthorized access to a protected Wi-Fi network. An attacker can complete the EAPOL handshake by skipping Msg2/4 and instead sending Msg4/4 with an all-zero key.

CVE ID : CVE-2023-52161
Source : cve@mitre.org
CVSS Score : /

References :
https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=6415420f1c92012f64063c131480ffcef58e60ca | source : cve@mitre.org
https://iwd.wiki.kernel.org/ | source : cve@mitre.org
https://www.top10vpn.com/research/wifi-vulnerabilities/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-25802

First published on : 22-02-2024 18:15:48
Last modified on : 22-02-2024 19:07:27

Description :
SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content.

CVE ID : CVE-2024-25802
Source : cve@mitre.org
CVSS Score : /

References :
https://shrouded-trowel-50c.notion.site/S-Museum-Version-7-02-3-Unrestricted-File-Upload-b73d4590b024449787464ddcc175b8f7?pvs=4 | source : cve@mitre.org


Vulnerability ID : CVE-2024-22547

First published on : 22-02-2024 19:15:08
Last modified on : 22-02-2024 19:15:08

Description :
WayOS IBR-7150 <17.06.23 is vulnerable to Cross Site Scripting (XSS).

CVE ID : CVE-2024-22547
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/WarmBrew/web_vul/blob/main/wayos/wayos.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25385

First published on : 22-02-2024 19:15:09
Last modified on : 22-02-2024 19:15:09

Description :
An issue in flvmeta v.1.2.2 allows a local attacker to cause a denial of service via the flvmeta/src/flv.c:375:21 function in flv_close.

CVE ID : CVE-2024-25385
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/hanxuer/crashes/blob/main/flvmeta/01/readme.md | source : cve@mitre.org
https://github.com/noirotm/flvmeta/issues/23 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25369

First published on : 22-02-2024 20:15:56
Last modified on : 22-02-2024 20:15:56

Description :
A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter.

CVE ID : CVE-2024-25369
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/liyako/vulnerability/blob/main/POC/FUEL%20CMS%20Reflected%20Cross-Site%20Scripting%20%28XSS%29.md | source : cve@mitre.org


Vulnerability ID : CVE-2022-25377

First published on : 22-02-2024 22:15:47
Last modified on : 22-02-2024 22:15:47

Description :
The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APP_STORAGE_CERTIFICATES/.well-known/acme-challenge must exist on disk. (This pathname is automatically created if the user chooses to install Let's Encrypt certificates via Appwrite.)

CVE ID : CVE-2022-25377
Source : cve@mitre.org
CVSS Score : /

References :
https://dubell.io/unauthenticated-lfi-in-appwrite-0.5.0-0.12.1/ | source : cve@mitre.org
https://github.com/appwrite/appwrite/blob/0.12.0/app/controllers/general.php#L539 | source : cve@mitre.org
https://github.com/appwrite/appwrite/pull/2780 | source : cve@mitre.org
https://github.com/appwrite/appwrite/releases/tag/0.12.2 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25746

First published on : 22-02-2024 22:15:47
Last modified on : 22-02-2024 22:15:47

Description :
Stack Based Buffer Overflow vulnerability in Tenda AC9 v.3.0 with firmware version v.15.03.06.42_multi allows a remote attacker to execute arbitrary code via the add_white_node function.

CVE ID : CVE-2024-25746
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/TimeSeg/IOT_CVE/blob/main/tenda/AC9V3/0218/add_white_node.md | source : cve@mitre.org


Source : apache.org

Vulnerability ID : CVE-2024-22393

First published on : 22-02-2024 10:15:08
Last modified on : 22-02-2024 19:07:27

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content. Users are recommended to upgrade to version [1.2.5], which fixes the issue.

CVE ID : CVE-2024-22393
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/22/1 | source : security@apache.org
https://lists.apache.org/thread/f58l6dr4r74hl6o71gn47kmn44vw12cv | source : security@apache.org

Vulnerability : CWE-434


Vulnerability ID : CVE-2024-23349

First published on : 22-02-2024 10:15:08
Last modified on : 22-02-2024 19:07:27

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack. Users are recommended to upgrade to version [1.2.5], which fixes the issue.

CVE ID : CVE-2024-23349
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/22/2 | source : security@apache.org
https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg | source : security@apache.org

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-26578

First published on : 22-02-2024 10:15:08
Last modified on : 22-02-2024 19:07:27

Description :
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Repeated submission during registration resulted in the registration of the same user. When users register, if they rapidly submit multiple registrations using scripts, it can result in the creation of multiple user accounts simultaneously with the same name. Users are recommended to upgrade to version [1.2.5], which fixes the issue.

CVE ID : CVE-2024-26578
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/22/3 | source : security@apache.org
https://lists.apache.org/thread/ko0ksnznt2484lxt0zts2ygr82ldkhcb | source : security@apache.org

Vulnerability : CWE-362


Source : cert.vde.com

Vulnerability ID : CVE-2024-26287

First published on : 22-02-2024 12:15:46
Last modified on : 22-02-2024 12:15:46

Description :
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVE ID : CVE-2024-26287
Source : info@cert.vde.com
CVSS Score : /

References :


Source : mozilla.org

Vulnerability ID : CVE-2024-1563

First published on : 22-02-2024 15:15:08
Last modified on : 22-02-2024 19:07:27

Description :
An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme and a timeout race condition. This vulnerability affects Focus for iOS < 122.

CVE ID : CVE-2024-1563
Source : security@mozilla.org
CVSS Score : /

References :
https://bugzilla.mozilla.org/show_bug.cgi?id=1863831 | source : security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2024-09/ | source : security@mozilla.org


Vulnerability ID : CVE-2024-26281

First published on : 22-02-2024 15:15:08
Last modified on : 22-02-2024 19:07:27

Description :
Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar. This vulnerability affects Firefox for iOS < 123.

CVE ID : CVE-2024-26281
Source : security@mozilla.org
CVSS Score : /

References :
https://bugzilla.mozilla.org/show_bug.cgi?id=1868005 | source : security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2024-08/ | source : security@mozilla.org


Vulnerability ID : CVE-2024-26282

First published on : 22-02-2024 15:15:08
Last modified on : 22-02-2024 19:07:27

Description :
Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page. This vulnerability affects Firefox for iOS < 123.

CVE ID : CVE-2024-26282
Source : security@mozilla.org
CVSS Score : /

References :
https://bugzilla.mozilla.org/show_bug.cgi?id=1863788 | source : security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2024-08/ | source : security@mozilla.org


Vulnerability ID : CVE-2024-26283

First published on : 22-02-2024 15:15:08
Last modified on : 22-02-2024 19:07:27

Description :
An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. This vulnerability affects Firefox for iOS < 123.

CVE ID : CVE-2024-26283
Source : security@mozilla.org
CVSS Score : /

References :
https://bugzilla.mozilla.org/show_bug.cgi?id=1850158 | source : security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2024-08/ | source : security@mozilla.org


Vulnerability ID : CVE-2024-26284

First published on : 22-02-2024 15:15:08
Last modified on : 22-02-2024 19:07:27

Description :
Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website, if the victim had a link to the attacker's website. This vulnerability affects Focus for iOS < 123.

CVE ID : CVE-2024-26284
Source : security@mozilla.org
CVSS Score : /

References :
https://bugzilla.mozilla.org/show_bug.cgi?id=1860075 | source : security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2024-10/ | source : security@mozilla.org


Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Vulnerability ID : CVE-2023-52443

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org).

CVE ID : CVE-2023-52443
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0a12db736edbb4933e4274932aeea594b5876fa4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1d8e62b5569cc1466ceb8a7e4872cf10160a9dcf | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/55a8210c9e7d21ff2644809699765796d4bfb200 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5c0392fdafb0a2321311900be83ffa572bef8203 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5ff00408e5029d3550ee77f62dc15f1e15c47f87 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/77ab09b92f16c8439a948d1af489196953dc4a0e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9286ee97aa4803d99185768735011d0d65827c9e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9d4fa5fe2b1d56662afd14915a73b4d0783ffa45 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2023-52444

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid dirent corruption As Al reported in link[1]: f2fs_rename() ... if (old_dir != new_dir && !whiteout) f2fs_set_link(old_inode, old_dir_entry, old_dir_page, new_dir); else f2fs_put_page(old_dir_page, 0); You want correct inumber in the ".." link. And cross-directory rename does move the source to new parent, even if you'd been asked to leave a whiteout in the old place. [1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/ With below testcase, it may cause dirent corruption, due to it missed to call f2fs_set_link() to update ".." link to new directory. - mkdir -p dir/foo - renameat2 -w dir/foo bar [ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3] [FSCK] other corrupted bugs [Fail]

CVE ID : CVE-2023-52444
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/02160112e6d45c2610b049df6eb693d7a2e57b46 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2fb4867f4405aea8c0519d7d188207f232a57862 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/53edb549565f55ccd0bdf43be3d66ce4c2d48b28 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5624a3c1b1ebc8991318e1cce2aa719542991024 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6f866885e147d33efc497f1095f35b2ee5ec7310 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d3c0b49aaa12a61d560528f5d605029ab57f0728 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f0145860c20be6bae6785c7a2249577674702ac7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f100ba617d8be6c98a68f3744ef7617082975b77 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2023-52445

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.

CVE ID : CVE-2023-52445
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2cf0005d315549b8d2b940ff96a66c2a889aa795 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/30773ea47d41773f9611ffb4ebc9bda9d19a9e7e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3233d8bf7893550045682192cb227af7fa3defeb | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/437b5f57732bb4cc32cc9f8895d2010ee9ff521c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/47aa8fcd5e8b5563af4042a00f25ba89bef8f33d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ded85b0c0edd8f45fec88783d7555a5b982449c1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ec3634ebe23fc3c44ebc67c6d25917300bc68c08 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ec36c134dd020d28e312c2f1766f85525e747aab | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2023-52446

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a race condition between btf_put() and map_free() When running `./test_progs -j` in my local vm with latest kernel, I once hit a kasan error like below: [ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8/0x2b0 [ 1887.185599] Read of size 4 at addr ffff888106806910 by task kworker/u12:2/2830 [ 1887.186498] [ 1887.186712] CPU: 3 PID: 2830 Comm: kworker/u12:2 Tainted: G OEL 6.7.0-rc3-00699-g90679706d486-dirty #494 [ 1887.188034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1887.189618] Workqueue: events_unbound bpf_map_free_deferred [ 1887.190341] Call Trace: [ 1887.190666] <TASK> [ 1887.190949] dump_stack_lvl+0xac/0xe0 [ 1887.191423] ? nf_tcp_handle_invalid+0x1b0/0x1b0 [ 1887.192019] ? panic+0x3c0/0x3c0 [ 1887.192449] print_report+0x14f/0x720 [ 1887.192930] ? preempt_count_sub+0x1c/0xd0 [ 1887.193459] ? __virt_addr_valid+0xac/0x120 [ 1887.194004] ? bpf_rb_root_free+0x1f8/0x2b0 [ 1887.194572] kasan_report+0xc3/0x100 [ 1887.195085] ? bpf_rb_root_free+0x1f8/0x2b0 [ 1887.195668] bpf_rb_root_free+0x1f8/0x2b0 [ 1887.196183] ? __bpf_obj_drop_impl+0xb0/0xb0 [ 1887.196736] ? preempt_count_sub+0x1c/0xd0 [ 1887.197270] ? preempt_count_sub+0x1c/0xd0 [ 1887.197802] ? _raw_spin_unlock+0x1f/0x40 [ 1887.198319] bpf_obj_free_fields+0x1d4/0x260 [ 1887.198883] array_map_free+0x1a3/0x260 [ 1887.199380] bpf_map_free_deferred+0x7b/0xe0 [ 1887.199943] process_scheduled_works+0x3a2/0x6c0 [ 1887.200549] worker_thread+0x633/0x890 [ 1887.201047] ? __kthread_parkme+0xd7/0xf0 [ 1887.201574] ? kthread+0x102/0x1d0 [ 1887.202020] kthread+0x1ab/0x1d0 [ 1887.202447] ? pr_cont_work+0x270/0x270 [ 1887.202954] ? kthread_blkcg+0x50/0x50 [ 1887.203444] ret_from_fork+0x34/0x50 [ 1887.203914] ? kthread_blkcg+0x50/0x50 [ 1887.204397] ret_from_fork_asm+0x11/0x20 [ 1887.204913] </TASK> [ 1887.204913] </TASK> [ 1887.205209] [ 1887.205416] Allocated by task 2197: [ 1887.205881] kasan_set_track+0x3f/0x60 [ 1887.206366] __kasan_kmalloc+0x6e/0x80 [ 1887.206856] __kmalloc+0xac/0x1a0 [ 1887.207293] btf_parse_fields+0xa15/0x1480 [ 1887.207836] btf_parse_struct_metas+0x566/0x670 [ 1887.208387] btf_new_fd+0x294/0x4d0 [ 1887.208851] __sys_bpf+0x4ba/0x600 [ 1887.209292] __x64_sys_bpf+0x41/0x50 [ 1887.209762] do_syscall_64+0x4c/0xf0 [ 1887.210222] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 1887.210868] [ 1887.211074] Freed by task 36: [ 1887.211460] kasan_set_track+0x3f/0x60 [ 1887.211951] kasan_save_free_info+0x28/0x40 [ 1887.212485] ____kasan_slab_free+0x101/0x180 [ 1887.213027] __kmem_cache_free+0xe4/0x210 [ 1887.213514] btf_free+0x5b/0x130 [ 1887.213918] rcu_core+0x638/0xcc0 [ 1887.214347] __do_softirq+0x114/0x37e The error happens at bpf_rb_root_free+0x1f8/0x2b0: 00000000000034c0 <bpf_rb_root_free>: ; { 34c0: f3 0f 1e fa endbr64 34c4: e8 00 00 00 00 callq 0x34c9 <bpf_rb_root_free+0x9> 34c9: 55 pushq %rbp 34ca: 48 89 e5 movq %rsp, %rbp ... ; if (rec && rec->refcount_off >= 0 && 36aa: 4d 85 ed testq %r13, %r13 36ad: 74 a9 je 0x3658 <bpf_rb_root_free+0x198> 36af: 49 8d 7d 10 leaq 0x10(%r13), %rdi 36b3: e8 00 00 00 00 callq 0x36b8 <bpf_rb_root_free+0x1f8> <==== kasan function 36b8: 45 8b 7d 10 movl 0x10(%r13), %r15d <==== use-after-free load 36bc: 45 85 ff testl %r15d, %r15d 36bf: 78 8c js 0x364d <bpf_rb_root_free+0x18d> So the problem ---truncated---

CVE ID : CVE-2023-52446
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/59e5791f59dd83e8aa72a4e74217eabb6e8cfd90 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d048dced8ea5eac6723ae873a40567e6f101ea42 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f9ff6ef1c73cd9e1a6bb1ab3e57c5d141a536306 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2023-52447

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.

CVE ID : CVE-2023-52447
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/62fca83303d608ad4fec3f7428c8685680bb01b0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/876673364161da50eed6b472d746ef88242b2368 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bfd9b20c4862f41d4590fde11d70a5eeae53dcc5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f91cd728b10c51f6d4a39957ccd56d1e802fc8ee | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2023-52448

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump Syzkaller has reported a NULL pointer dereference when accessing rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in gfs2_rgrp_dump() to prevent that.

CVE ID : CVE-2023-52448
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/067a7c48c2c70f05f9460d6f0e8423e234729f05 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5c28478af371a1c3fdb570ca67f110e1ae60fc37 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8877243beafa7c6bfc42022cbfdf9e39b25bd4fa | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c323efd620c741168c8e0cc6fc0be04ab57e331a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d69d7804cf9e2ba171a27e5f98bc266f13d0414a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ee0586d73cbaf0e7058bc640d62a9daf2dfa9178 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/efc8ef87ab9185a23d5676f2f7d986022d91bcde | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2023-52449

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access โ€˜gluebi->descโ€™ in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULL Detailed reproduction information available at the Link [1], In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME.

CVE ID : CVE-2023-52449
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/001a3f59d8c914ef8273461d4bf495df384cc5f8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1bf4fe14e97cda621522eb2f28b0a4e87c5b0745 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5389407bba1eab1266c6d83e226fb0840cb98dd5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cfd7c9d260dc0a3baaea05a122a19ab91e193c65 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d8ac2537763b54d278b80b2b080e1652523c7d4c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2023-52450

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology() Get logical socket id instead of physical id in discover_upi_topology() to avoid out-of-bound access on 'upi = &type->topology[nid][idx];' line that leads to NULL pointer dereference in upi_fill_topology()

CVE ID : CVE-2023-52450
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1692cf434ba13ee212495b5af795b6a07e986ce4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3d6f4a78b104c65e4256c3776c9949f49a1b459e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bf1bf09e6b599758851457f3999779622a48d015 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2023-52451

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/memhp: Fix access beyond end of drmem array dlpar_memory_remove_by_index() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer: pr_debug("Failed to hot-remove memory at %llx\n", lmb->base_addr); This was found by inspection and confirmed with KASAN: pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 ================================================================== BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 Read of size 8 at addr c000000364e97fd0 by task bash/949 dump_stack_lvl+0xa4/0xfc (unreliable) print_report+0x214/0x63c kasan_report+0x140/0x2e0 __asan_load8+0xa8/0xe0 dlpar_memory+0x298/0x1658 handle_dlpar_errorlog+0x130/0x1d0 dlpar_store+0x18c/0x3e0 kobj_attr_store+0x68/0xa0 sysfs_kf_write+0xc4/0x110 kernfs_fop_write_iter+0x26c/0x390 vfs_write+0x2d4/0x4e0 ksys_write+0xac/0x1a0 system_call_exception+0x268/0x530 system_call_vectored_common+0x15c/0x2ec Allocated by task 1: kasan_save_stack+0x48/0x80 kasan_set_track+0x34/0x50 kasan_save_alloc_info+0x34/0x50 __kasan_kmalloc+0xd0/0x120 __kmalloc+0x8c/0x320 kmalloc_array.constprop.0+0x48/0x5c drmem_init+0x2a0/0x41c do_one_initcall+0xe0/0x5c0 kernel_init_freeable+0x4ec/0x5a0 kernel_init+0x30/0x1e0 ret_from_kernel_user_thread+0x14/0x1c The buggy address belongs to the object at c000000364e80000 which belongs to the cache kmalloc-128k of size 131072 The buggy address is located 0 bytes to the right of allocated 98256-byte region [c000000364e80000, c000000364e97fd0) ================================================================== pseries-hotplug-mem: Failed to hot-remove memory at 0 Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry.

CVE ID : CVE-2023-52451
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/026fd977dc50ff4a5e09bfb0603557f104d3f3a0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/708a4b59baad96c4718dc0bd3a3427d3ab22fedc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/999a27b3ce9a69d54ccd5db000ec3a447bc43e6d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9b5f03500bc5b083c0df696d7dd169d7ef3dd0c7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b582aa1f66411d4adcc1aa55b8c575683fb4687e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bb79613a9a704469ddb8d6c6029d532a5cea384c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/df16afba2378d985359812c865a15c05c70a967e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2023-52452

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already "large enough", the access was permitted, but otherwise the access was rejected instead of being allowed to "grow the stack". This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead. This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.

CVE ID : CVE-2023-52452
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2024-26586

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b

CVE ID : CVE-2024-26586
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2f5e1565740490706332c06f36211d4ce0f88e62 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/348112522a35527c5bcba933b9fefb40a4f44f15 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/483ae90d8f976f8339cf81066312e1329f2d3706 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/56750ea5d15426b5f307554e7699e8b5f76c3182 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a361c2c1da5dbb13ca67601cf961ab3ad68af383 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2024-26587

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: net: netdevsim: don't try to destroy PHC on VFs PHC gets initialized in nsim_init_netdevsim(), which is only called if (nsim_dev_port_is_pf()). Create a counterpart of nsim_init_netdevsim() and move the mock_phc_destroy() there. This fixes a crash trying to destroy netdevsim with VFs instantiated, as caught by running the devlink.sh test: BUG: kernel NULL pointer dereference, address: 00000000000000b8 RIP: 0010:mock_phc_destroy+0xd/0x30 Call Trace: <TASK> nsim_destroy+0x4a/0x70 [netdevsim] __nsim_dev_port_del+0x47/0x70 [netdevsim] nsim_dev_reload_destroy+0x105/0x120 [netdevsim] nsim_drv_remove+0x2f/0xb0 [netdevsim] device_release_driver_internal+0x1a1/0x210 bus_remove_device+0xd5/0x120 device_del+0x159/0x490 device_unregister+0x12/0x30 del_device_store+0x11a/0x1a0 [netdevsim] kernfs_fop_write_iter+0x130/0x1d0 vfs_write+0x30b/0x4b0 ksys_write+0x69/0xf0 do_syscall_64+0xcc/0x1e0 entry_SYSCALL_64_after_hwframe+0x6f/0x77

CVE ID : CVE-2024-26587
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/08aca65997fb6f233066883b1f1e653bcb1f26ca | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c5068e442eed063d2f1658e6b6d3c1c6fcf1e588 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ea937f77208323d35ffe2f8d8fc81b00118bfcda | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2024-26588

First published on : 22-02-2024 17:15:08
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Prevent out-of-bounds memory access The test_tag test triggers an unhandled page fault: # ./test_tag [ 130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70 [ 130.640501] Oops[#3]: [ 130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G D O 6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a [ 130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 [ 130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40 [ 130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000 [ 130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000 [ 130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70 [ 130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0 [ 130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0 [ 130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000 [ 130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000 [ 130.641900] ra: 9000000003139e70 build_body+0x1fcc/0x4988 [ 130.642007] ERA: 9000000003137f7c build_body+0xd8/0x4988 [ 130.642112] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 130.642261] PRMD: 00000004 (PPLV0 +PIE -PWE) [ 130.642353] EUEN: 00000003 (+FPE +SXE -ASXE -BTE) [ 130.642458] ECFG: 00071c1c (LIE=2-4,10-12 VS=7) [ 130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) [ 130.642658] BADV: ffff80001b898004 [ 130.642719] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) [ 130.642815] Modules linked in: [last unloaded: bpf_testmod(O)] [ 130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd) [ 130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8 [ 130.643213] 0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0 [ 130.643378] 0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000 [ 130.643538] 0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000 [ 130.643685] 00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000 [ 130.643831] ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000 [ 130.643983] 0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558 [ 130.644131] 0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000 [ 130.644276] 9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc [ 130.644423] ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0 [ 130.644572] ... [ 130.644629] Call Trace: [ 130.644641] [<9000000003137f7c>] build_body+0xd8/0x4988 [ 130.644785] [<900000000313ca94>] bpf_int_jit_compile+0x228/0x4ec [ 130.644891] [<90000000032acfb0>] bpf_prog_select_runtime+0x158/0x1b0 [ 130.645003] [<90000000032b3504>] bpf_prog_load+0x760/0xb44 [ 130.645089] [<90000000032b6744>] __sys_bpf+0xbb8/0x2588 [ 130.645175] [<90000000032b8388>] sys_bpf+0x20/0x2c [ 130.645259] [<9000000003f6ab38>] do_syscall+0x7c/0x94 [ 130.645369] [<9000000003121c5c>] handle_syscall+0xbc/0x158 [ 130.645507] [ 130.645539] Code: 380839f6 380831f9 28412bae <24000ca6> 004081ad 0014cb50 004083e8 02bff34c 58008e91 [ 130.645729] [ 130.646418] ---[ end trace 0000000000000000 ]--- On my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at loading a BPF prog with 2039 instructions: prog = (struct bpf_prog *)ffff80001b894000 insn = (struct bpf_insn *)(prog->insnsi)fff ---truncated---

CVE ID : CVE-2024-26588
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/36a87385e31c9343af9a4756598e704741250a67 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4631c2dd69d928bca396f9f58baeddf85e14ced5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7924ade13a49c0067da6ea13e398102979c0654a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9aeb09f4d85a87bac46c010d75a2ea299d462f28 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2024-26589

First published on : 22-02-2024 17:15:09
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited".

CVE ID : CVE-2024-26589
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1b500d5d6cecf98dd6ca88bc9e7ae1783c83e6d3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/22c7fa171a02d310e3a3f6ed46a698ca8a0060ed | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/29ffa63f21bcdcef3e36b03cccf9d0cd031f6ab0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4108b86e324da42f7ed425bd71632fd844300dc8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e8d3872b617c21100c5ee4f64e513997a68c2e3d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2024-26590

First published on : 22-02-2024 17:15:09
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: erofs: fix inconsistent per-file compression format EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization. However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it's not set in `sbi->available_compr_algs`. This can lead to an unexpected "BUG: kernel NULL pointer dereference" if the corresponding decompressor isn't built-in. Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously.

CVE ID : CVE-2024-26590
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2024-26591

First published on : 22-02-2024 17:15:09
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.

CVE ID : CVE-2024-26591
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/50ae82f080cf87e84828f066c31723b781d68f5b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6cc9c0af0aa06f781fa515a1734b1a4239dfd2c0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/715d82ba636cb3629a6e18a33bb9dbe53f9936ee | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8c8bcd45e9b10eef12321f08d2e5be33d615509c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a7b98aa10f895e2569403896f2d19b73b6c95653 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2024-26592

First published on : 22-02-2024 17:15:09
Last modified on : 22-02-2024 19:07:27

Description :
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix UAF issue in ksmbd_tcp_new_connection() The race is between the handling of a new TCP connection and its disconnection. It leads to UAF on `struct tcp_transport` in ksmbd_tcp_new_connection() function.

CVE ID : CVE-2024-26592
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/24290ba94cd0136e417283b0dbf8fcdabcf62111 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/380965e48e9c32ee4263c023e1d830ea7e462ed1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/38d20c62903d669693a1869aa68c4dd5674e2544 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/69d54650b751532d1e1613a4fb433e591aeef126 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.