Vulnerabilities

An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: mpsse: ensure worker is torn down<br /> <br /> When an IRQ worker is running, unplugging the device would cause a<br /> crash. The sealevel hardware this driver was written for was not<br /> hotpluggable, so I never realized it.<br /> <br /> This change uses a spinlock to protect a list of workers, which<br /> it tears down on disconnect.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()<br /> <br /> Previously, btrfs_get_or_create_delayed_node() set the delayed_node&amp;#39;s<br /> refcount before acquiring the root-&gt;delayed_nodes lock.<br /> Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes")<br /> moved refcount_set inside the critical section, which means there is<br /> no longer a memory barrier between setting the refcount and setting<br /> btrfs_inode-&gt;delayed_node.<br /> <br /> Without that barrier, the stores to node-&gt;refs and<br /> btrfs_inode-&gt;delayed_node may become visible out of order. Another<br /> thread can then read btrfs_inode-&gt;delayed_node and attempt to<br /> increment a refcount that hasn&amp;#39;t been set yet, leading to a<br /> refcounting bug and a use-after-free warning.<br /> <br /> The fix is to move refcount_set back to where it was to take<br /> advantage of the implicit memory barrier provided by lock<br /> acquisition.<br /> <br /> Because the allocations now happen outside of the lock&amp;#39;s critical<br /> section, they can use GFP_NOFS instead of GFP_ATOMIC.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: avoid chain re-validation if possible<br /> <br /> Hamza Mahfooz reports cpu soft lock-ups in<br /> nft_chain_validate():<br /> <br /> watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547]<br /> [..]<br /> RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables]<br /> [..]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_table_validate+0x6b/0xb0 [nf_tables]<br /> nf_tables_validate+0x8b/0xa0 [nf_tables]<br /> nf_tables_commit+0x1df/0x1eb0 [nf_tables]<br /> [..]<br /> <br /> Currently nf_tables will traverse the entire table (chain graph), starting<br /> from the entry points (base chains), exploring all possible paths<br /> (chain jumps). But there are cases where we could avoid revalidation.<br /> <br /> Consider:<br /> 1 input -&gt; j2 -&gt; j3<br /> 2 input -&gt; j2 -&gt; j3<br /> 3 input -&gt; j1 -&gt; j2 -&gt; j3<br /> <br /> Then the second rule does not need to revalidate j2, and, by extension j3,<br /> because this was already checked during validation of the first rule.<br /> We need to validate it only for rule 3.<br /> <br /> This is needed because chain loop detection also ensures we do not exceed<br /> the jump stack: Just because we know that j2 is cycle free, its last jump<br /> might now exceed the allowed stack size. We also need to update all<br /> reachable chains with the new largest observed call depth.<br /> <br /> Care has to be taken to revalidate even if the chain depth won&amp;#39;t be an<br /> issue: chain validation also ensures that expressions are not called from<br /> invalid base chains. For example, the masquerade expression can only be<br /> called from NAT postrouting base chains.<br /> <br /> Therefore we also need to keep record of the base chain context (type,<br /> hooknum) and revalidate if the chain becomes reachable from a different<br /> hook location.

A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS).

Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId.

A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope.

Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sugar Calendar (Lite): from n/a through

Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Reviews: from n/a through

Improper Control of Filename for Include/Require Statement in PHP Program (&amp;#39;PHP Remote File Inclusion&amp;#39;) vulnerability in DevsBlink EduBlink Core edublink-core allows PHP Local File Inclusion.This issue affects EduBlink Core: from n/a through

Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trusona for WordPress: from n/a through