Vulnerabilities

AgataSoft PingMaster Pro 2.1 contains a denial of service vulnerability in the Trace Route feature that allows attackers to crash the application by overflowing the host name input field. Attackers can generate a 10,000-character buffer and paste it into the host name field to trigger an application crash and potential system instability.

Softros LAN Messenger 9.6.4 contains an unquoted service path vulnerability in the SoftrosSpellChecker service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\' to inject malicious executables and escalate privileges.

LogonExpert 8.1 contains an unquoted service path vulnerability in the LogonExpertSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to place malicious executables in intermediate directories, potentially gaining elevated system access during service startup.

Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads.

Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter.

MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget.

dataSIMS Avionics ARINC 664-1 version 4.5.3 contains a local buffer overflow vulnerability that allows attackers to overwrite memory by manipulating the milstd1553result.txt file. Attackers can craft a malicious file with carefully constructed payload and alignment sections to potentially execute arbitrary code on the Windows system.

MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: replace overzealous BUG_ON in osdmap_apply_incremental()<br /> <br /> If the osdmap is (maliciously) corrupted such that the incremental<br /> osdmap epoch is different from what is expected, there is no need to<br /> BUG. Instead, just declare the incremental osdmap to be invalid.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: make free_choose_arg_map() resilient to partial allocation<br /> <br /> free_choose_arg_map() may dereference a NULL pointer if its caller fails<br /> after a partial allocation.<br /> <br /> For example, in decode_choose_args(), if allocation of arg_map-&gt;args<br /> fails, execution jumps to the fail label and free_choose_arg_map() is<br /> called. Since arg_map-&gt;size is updated to a non-zero value before memory<br /> allocation, free_choose_arg_map() will iterate over arg_map-&gt;args and<br /> dereference a NULL pointer.<br /> <br /> To prevent this potential NULL pointer dereference and make<br /> free_choose_arg_map() more resilient, add checks for pointers before<br /> iterating.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: return the handler error from mon_handle_auth_done()<br /> <br /> Currently any error from ceph_auth_handle_reply_done() is propagated<br /> via finish_auth() but isn&amp;#39;t returned from mon_handle_auth_done(). This<br /> results in higher layers learning that (despite the monitor considering<br /> us to be successfully authenticated) something went wrong in the<br /> authentication phase and reacting accordingly, but msgr2 still trying<br /> to proceed with establishing the session in the background. In the<br /> case of secure mode this can trigger a WARN in setup_crypto() and later<br /> lead to a NULL pointer dereference inside of prepare_auth_signature().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: Fix RSS LUT NULL ptr issue after soft reset<br /> <br /> During soft reset, the RSS LUT is freed and not restored unless the<br /> interface is up. If an ethtool command that accesses the rss lut is<br /> attempted immediately after reset, it will result in NULL ptr<br /> dereference. Also, there is no need to reset the rss lut if the soft reset<br /> does not involve queue count change.<br /> <br /> After soft reset, set the RSS LUT to default values based on the updated<br /> queue count only if the reset was a result of a queue count change and<br /> the LUT was not configured by the user. In all other cases, don&amp;#39;t touch<br /> the LUT.<br /> <br /> Steps to reproduce:<br /> <br /> ** Bring the interface down (if up)<br /> ifconfig eth1 down<br /> <br /> ** update the queue count (eg., 27-&gt;20)<br /> ethtool -L eth1 combined 20<br /> <br /> ** display the RSS LUT<br /> ethtool -x eth1<br /> <br /> [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [82375.558373] #PF: supervisor read access in kernel mode<br /> [82375.558391] #PF: error_code(0x0000) - not-present page<br /> [82375.558408] PGD 0 P4D 0<br /> [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI<br /> <br /> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]<br /> [82375.558786] Call Trace:<br /> [82375.558793] <br /> [82375.558804] rss_prepare.isra.0+0x187/0x2a0<br /> [82375.558827] rss_prepare_data+0x3a/0x50<br /> [82375.558845] ethnl_default_doit+0x13d/0x3e0<br /> [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180<br /> [82375.558886] genl_rcv_msg+0x1ad/0x2b0<br /> [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10<br /> [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10<br /> [82375.558937] netlink_rcv_skb+0x58/0x100<br /> [82375.558957] genl_rcv+0x2c/0x50<br /> [82375.558971] netlink_unicast+0x289/0x3e0<br /> [82375.558988] netlink_sendmsg+0x215/0x440<br /> [82375.559005] __sys_sendto+0x234/0x240<br /> [82375.559555] __x64_sys_sendto+0x28/0x30<br /> [82375.560068] x64_sys_call+0x1909/0x1da0<br /> [82375.560576] do_syscall_64+0x7a/0xfa0<br /> [82375.561076] ? clear_bhb_loop+0x60/0xb0<br /> [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />