Vulnerabilities

Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.

A vulnerability was determined in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation of the argument Guest_ssid causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

A vulnerability was identified in Surbowl dormitory-management-php up to 9f1d9d1f528cabffc66fda3652c56ff327fda317. Affected is an unknown function of the file /admin/violation_add.php?id=2. Such manipulation of the argument ID leads to sql injection. The attack may be performed from a remote location. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. This vulnerability only affects products that are no longer supported by the maintainer.

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.

A vulnerability has been found in jasonclark getsemantic up to 040c96eb8cf9947488bd01b8de99b607b0519f7d. The impacted element is an unknown function of the file /index.php. The manipulation of the argument view leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects an unknown function of the file ai/chat2db/server/web/api/controller/data/source/DataSourceController.java of the component JDBC Connection Handler. The manipulation results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.

In the smartLibrary component of the HRForecast Suite 0.4.3, a SQL injection vulnerability was discovered in the valueKey parameter. This flaw enables any authenticated user to execute arbitrary SQL queries, via crafted payloads to valueKey to the api/smartlibrary/v2/en/dictionaries/options/lookup endpoint.

n8n is a workflow automation platform. From 1.77.0 to before 1.98.2, a stored Cross-Site Scripting (XSS) vulnerability was identified in n8n, specifically in the Form Trigger node's HTML form element. An authenticated attacker can inject malicious HTML via an with a srcdoc payload that includes arbitrary JavaScript execution. The attacker can also inject malicious Javascript by using coupled using an onerror event. While using iframe or a combination of video and source tag, this vulnerability allows for Account Takeover (ATO) by exfiltrating n8n-browserId and session cookies from authenticated users who visit a maliciously crafted form. Using these tokens and cookies, an attacker can impersonate the victim and change account details such as email addresses, enabling full control over the account—especially if 2FA is not enabled. Users should upgrade to version >= 1.98.2.

Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site text to remove the preferred_display_name placeholder, or not impersonate<br /> any users for the time being. This vulnerability is fixed in 3.5.0.beta8.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eventpoll: Fix semi-unbounded recursion<br /> <br /> Ensure that epoll instances can never form a graph deeper than<br /> EP_MAX_NESTS+1 links.<br /> <br /> Currently, ep_loop_check_proc() ensures that the graph is loop-free and<br /> does some recursion depth checks, but those recursion depth checks don&amp;#39;t<br /> limit the depth of the resulting tree for two reasons:<br /> <br /> - They don&amp;#39;t look upwards in the tree.<br /> - If there are multiple downwards paths of different lengths, only one of<br /> the paths is actually considered for the depth check since commit<br /> 28d82dc1c4ed ("epoll: limit paths").<br /> <br /> Essentially, the current recursion depth check in ep_loop_check_proc() just<br /> serves to prevent it from recursing too deeply while checking for loops.<br /> <br /> A more thorough check is done in reverse_path_check() after the new graph<br /> edge has already been created; this checks, among other things, that no<br /> paths going upwards from any non-epoll file with a length of more than 5<br /> edges exist. However, this check does not apply to non-epoll files.<br /> <br /> As a result, it is possible to recurse to a depth of at least roughly 500,<br /> tested on v6.15. (I am unsure if deeper recursion is possible; and this may<br /> have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion<br /> problem").)<br /> <br /> To fix it:<br /> <br /> 1. In ep_loop_check_proc(), note the subtree depth of each visited node,<br /> and use subtree depths for the total depth calculation even when a subtree<br /> has already been visited.<br /> 2. Add ep_get_upwards_depth_proc() for similarly determining the maximum<br /> depth of an upwards walk.<br /> 3. In ep_loop_check(), use these values to limit the total path length<br /> between epoll nodes to EP_MAX_NESTS edges.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: cancle set bad inode after removing name fails<br /> <br /> The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link.<br /> When renaming, the file0&amp;#39;s inode is marked as a bad inode because the file<br /> name cannot be deleted.<br /> <br /> The underlying bug is that make_bad_inode() is called on a live inode.<br /> In some cases it&amp;#39;s "icache lookup finds a normal inode, d_splice_alias()<br /> is called to attach it to dentry, while another thread decides to call<br /> make_bad_inode() on it - that would evict it from icache, but we&amp;#39;d already<br /> found it there earlier".<br /> In some it&amp;#39;s outright "we have an inode attached to dentry - that&amp;#39;s how we<br /> got it in the first place; let&amp;#39;s call make_bad_inode() on it just for shits<br /> and giggles".