Vulnerabilities

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been declared as critical. Affected by this vulnerability is the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been declared as critical. This vulnerability affects the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been classified as critical. This affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> atm: Fix NULL pointer dereference<br /> <br /> When MPOA_cache_impos_rcvd() receives the msg, it can trigger<br /> Null Pointer Dereference Vulnerability if both entry and<br /> holding_time are NULL. Because there is only for the situation<br /> where entry is NULL and holding_time exists, it can be passed<br /> when both entry and holding_time are NULL. If these are NULL,<br /> the entry will be passd to eg_cache_put() as parameter and<br /> it is referenced by entry-&gt;use code in it.<br /> <br /> kasan log:<br /> <br /> [ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I<br /> [ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> [ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102<br /> [ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> [ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470<br /> [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80<br /> [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006<br /> [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e<br /> [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030<br /> [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88<br /> [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15<br /> [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068<br /> [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000<br /> [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0<br /> [ 3.326430] Call Trace:<br /> [ 3.326725] <br /> [ 3.326927] ? die_addr+0x3c/0xa0<br /> [ 3.327330] ? exc_general_protection+0x161/0x2a0<br /> [ 3.327662] ? asm_exc_general_protection+0x26/0x30<br /> [ 3.328214] ? vprintk_emit+0x15e/0x420<br /> [ 3.328543] ? eg_cache_remove_entry+0xa5/0x470<br /> [ 3.328910] ? eg_cache_remove_entry+0x9a/0x470<br /> [ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10<br /> [ 3.329664] ? console_unlock+0x107/0x1d0<br /> [ 3.329946] ? __pfx_console_unlock+0x10/0x10<br /> [ 3.330283] ? do_syscall_64+0xa6/0x1a0<br /> [ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f<br /> [ 3.331090] ? __pfx_prb_read_valid+0x10/0x10<br /> [ 3.331395] ? down_trylock+0x52/0x80<br /> [ 3.331703] ? vprintk_emit+0x15e/0x420<br /> [ 3.331986] ? __pfx_vprintk_emit+0x10/0x10<br /> [ 3.332279] ? down_trylock+0x52/0x80<br /> [ 3.332527] ? _printk+0xbf/0x100<br /> [ 3.332762] ? __pfx__printk+0x10/0x10<br /> [ 3.333007] ? _raw_write_lock_irq+0x81/0xe0<br /> [ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10<br /> [ 3.333614] msg_from_mpoad+0x1185/0x2750<br /> [ 3.333893] ? __build_skb_around+0x27b/0x3a0<br /> [ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10<br /> [ 3.334501] ? __alloc_skb+0x1c0/0x310<br /> [ 3.334809] ? __pfx___alloc_skb+0x10/0x10<br /> [ 3.335283] ? _raw_spin_lock+0xe0/0xe0<br /> [ 3.335632] ? finish_wait+0x8d/0x1e0<br /> [ 3.335975] vcc_sendmsg+0x684/0xba0<br /> [ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10<br /> [ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10<br /> [ 3.337056] ? fdget+0x176/0x3e0<br /> [ 3.337348] __sys_sendto+0x4a2/0x510<br /> [ 3.337663] ? __pfx___sys_sendto+0x10/0x10<br /> [ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400<br /> [ 3.338364] ? sock_ioctl+0x1bb/0x5a0<br /> [ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20<br /> [ 3.339017] ? __pfx_sock_ioctl+0x10/0x10<br /> [ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10<br /> [ 3.339727] ? selinux_file_ioctl+0xa4/0x260<br /> [ 3.340166] __x64_sys_sendto+0xe0/0x1c0<br /> [ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140<br /> [ 3.340898] do_syscall_64+0xa6/0x1a0<br /> [ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 3.341533] RIP: 0033:0x44a380<br /> [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00<br /> [ <br /> ---truncated---

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513 and classified as critical. Affected by this issue is the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in TOTOLINK A3700R 9.1.2u.5822_B20200513 and classified as critical. Affected by this vulnerability is the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information leakage risk.

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The User Profile Builder – Beautiful User Registration Forms, User Profiles &amp; User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.<br /> The issue was partially patched in version 3.13.6 of the plugin, and fully patched in 3.13.7.

Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.