Vulnerabilities

The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the established upper layer L2CAP channel. An attacker can leverage this vulnerability to obtain remote code execution on the Infotainment ECU with root privileges.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.

The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the established upper layer L2CAP channel. An attacker can leverage this vulnerability to obtain remote code execution on the Infotainment ECU with root privileges.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.

There is a misconfiguration vulnerability inside the Infotainment ECU manufactured by BOSCH. The vulnerability happens during the startup phase of a specific systemd service, and as a result, the following developer features will be activated: the disabled firewall and the launched SSH server.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.

The RF communication protocol in the Micca KE700 car alarm system does not encrypt its data frames. An attacker with a radio interception tool (e.g., SDR) can capture the random number and counters transmitted in cleartext, which is sensitive information required for authentication.

The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the established upper layer L2CAP channel. An attacker can leverage this vulnerability to obtain remote code execution on the Infotainment ECU with root privileges.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.

The Infotainment ECU manufactured by Bosch uses a RH850 module for CAN communication. RH850 is connected to infotainment over the INC interface through a custom protocol. There is a vulnerability during processing requests of this protocol on the V850 side which allows an attacker with code execution on the infotainment main SoC to perform code execution on the RH850 module and subsequently send arbitrary CAN messages over the connected CAN bus.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the &amp;#39;save_custom_user_profile_fields&amp;#39; function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the &amp;#39;ec_store_admin_access&amp;#39; parameter during a profile update and gain store manager access to the site.

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the &amp;#39;render_svg&amp;#39; function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the &amp;#39;checkWithoutToken&amp;#39; function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: tegra210-quad: Protect curr_xfer check in IRQ handler<br /> <br /> Now that all other accesses to curr_xfer are done under the lock,<br /> protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the<br /> spinlock. Without this protection, the following race can occur:<br /> <br /> CPU0 (ISR thread) CPU1 (timeout path)<br /> ---------------- -------------------<br /> if (!tqspi-&gt;curr_xfer)<br /> // sees non-NULL<br /> spin_lock()<br /> tqspi-&gt;curr_xfer = NULL<br /> spin_unlock()<br /> handle_*_xfer()<br /> spin_lock()<br /> t = tqspi-&gt;curr_xfer // NULL!<br /> ... t-&gt;len ... // NULL dereference!<br /> <br /> With this patch, all curr_xfer accesses are now properly synchronized.<br /> <br /> Although all accesses to curr_xfer are done under the lock, in<br /> tegra_qspi_isr_thread() it checks for NULL, releases the lock and<br /> reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().<br /> There is a potential for an update in between, which could cause a NULL<br /> pointer dereference.<br /> <br /> To handle this, add a NULL check inside the handlers after acquiring<br /> the lock. This ensures that if the timeout path has already cleared<br /> curr_xfer, the handler will safely return without dereferencing the<br /> NULL pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: Fix PTP NULL pointer dereference during VSI rebuild<br /> <br /> Fix race condition where PTP periodic work runs while VSI is being<br /> rebuilt, accessing NULL vsi-&gt;rx_rings.<br /> <br /> The sequence was:<br /> 1. ice_ptp_prepare_for_reset() cancels PTP work<br /> 2. ice_ptp_rebuild() immediately queues PTP work<br /> 3. VSI rebuild happens AFTER ice_ptp_rebuild()<br /> 4. PTP work runs and accesses NULL vsi-&gt;rx_rings<br /> <br /> Fix: Keep PTP work cancelled during rebuild, only queue it after<br /> VSI rebuild completes in ice_rebuild().<br /> <br /> Added ice_ptp_queue_work() helper function to encapsulate the logic<br /> for queuing PTP work, ensuring it&amp;#39;s only queued when PTP is supported<br /> and the state is ICE_PTP_READY.<br /> <br /> Error log:<br /> [ 121.392544] ice 0000:60:00.1: PTP reset successful<br /> [ 121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [ 121.392712] #PF: supervisor read access in kernel mode<br /> [ 121.392720] #PF: error_code(0x0000) - not-present page<br /> [ 121.392727] PGD 0<br /> [ 121.392734] Oops: Oops: 0000 [#1] SMP NOPTI<br /> [ 121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S 6.19.0-rc6+ #4 PREEMPT(voluntary)<br /> [ 121.392761] Tainted: [S]=CPU_OUT_OF_SPEC<br /> [ 121.392773] RIP: 0010:ice_ptp_update_cached_phctime+0xbf/0x150 [ice]<br /> [ 121.393042] Call Trace:<br /> [ 121.393047] <br /> [ 121.393055] ice_ptp_periodic_work+0x69/0x180 [ice]<br /> [ 121.393202] kthread_worker_fn+0xa2/0x260<br /> [ 121.393216] ? __pfx_ice_ptp_periodic_work+0x10/0x10 [ice]<br /> [ 121.393359] ? __pfx_kthread_worker_fn+0x10/0x10<br /> [ 121.393371] kthread+0x10d/0x230<br /> [ 121.393382] ? __pfx_kthread+0x10/0x10<br /> [ 121.393393] ret_from_fork+0x273/0x2b0<br /> [ 121.393407] ? __pfx_kthread+0x10/0x10<br /> [ 121.393417] ret_from_fork_asm+0x1a/0x30<br /> [ 121.393432]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: cls_u32: use skb_header_pointer_careful()<br /> <br /> skb_header_pointer() does not fully validate negative @offset values.<br /> <br /> Use skb_header_pointer_careful() instead.<br /> <br /> GangMin Kim provided a report and a repro fooling u32_classify():<br /> <br /> BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0<br /> net/sched/cls_u32.c:221