Vulnerabilities

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

Infinxt iEdge 100 2.1.32 is vulnerable to Cross Site Scripting (XSS) via the "Description" field during LAN configuration.

An OS Command Injection vulnerability exists in the Infinxt iEdge 100 2.1.32 Troubleshoot module, specifically in the tracertVal parameter of the Tracert function.

A command injection vulnerability exists in the Infinxt iEdge 100 2.1.32 in the Troubleshoot module "MTR" functionality. The vulnerability is due to improper validation of user-supplied input in the mtrIp parameter. An attacker can exploit this flaw to execute arbitrary operating system commands on the underlying system with the same privileges as the web application process.

CodeZips Gym Management System v1.0 is vulnerable to SQL injection in the name parameter within /dashboard/admin/deleteroutine.php.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it was erroneously associated with an open source vulnerability by another vendor.

An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.35. If multicast streams are enabled on different interfaces, it may be possible to interrupt multicast traffic on some of these interfaces. That could result in a denial of the multicast routing service on the firewall.

A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.

A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability.

A vulnerability in the HPE Aruba Networking Virtual Intranet Access (VIA) client could allow malicious users to overwrite arbitrary files as NT AUTHORITY\SYSTEM (root). A successful exploit could allow the creation of a Denial-of-Service (DoS) condition affecting the Microsoft Windows Operating System. This vulnerability does not affect Linux and Android based clients.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: switchdev: Convert blocking notification chain to a raw one<br /> <br /> A blocking notification chain uses a read-write semaphore to protect the<br /> integrity of the chain. The semaphore is acquired for writing when<br /> adding / removing notifiers to / from the chain and acquired for reading<br /> when traversing the chain and informing notifiers about an event.<br /> <br /> In case of the blocking switchdev notification chain, recursive<br /> notifications are possible which leads to the semaphore being acquired<br /> twice for reading and to lockdep warnings being generated [1].<br /> <br /> Specifically, this can happen when the bridge driver processes a<br /> SWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications<br /> about deferred events when calling switchdev_deferred_process().<br /> <br /> Fix this by converting the notification chain to a raw notification<br /> chain in a similar fashion to the netdev notification chain. Protect<br /> the chain using the RTNL mutex by acquiring it when modifying the chain.<br /> Events are always informed under the RTNL mutex, but add an assertion in<br /> call_switchdev_blocking_notifiers() to make sure this is not violated in<br /> the future.<br /> <br /> Maintain the "blocking" prefix as events are always emitted from process<br /> context and listeners are allowed to block.<br /> <br /> [1]:<br /> WARNING: possible recursive locking detected<br /> 6.14.0-rc4-custom-g079270089484 #1 Not tainted<br /> --------------------------------------------<br /> ip/52731 is trying to acquire lock:<br /> ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0<br /> <br /> but task is already holding lock:<br /> ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> CPU0<br /> ----<br /> lock((switchdev_blocking_notif_chain).rwsem);<br /> lock((switchdev_blocking_notif_chain).rwsem);<br /> <br /> *** DEADLOCK ***<br /> May be due to missing lock nesting notation<br /> 3 locks held by ip/52731:<br /> #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0<br /> #1: ffffffff8731f628 (&amp;net-&gt;rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0<br /> #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0<br /> <br /> stack backtrace:<br /> ...<br /> ? __pfx_down_read+0x10/0x10<br /> ? __pfx_mark_lock+0x10/0x10<br /> ? __pfx_switchdev_port_attr_set_deferred+0x10/0x10<br /> blocking_notifier_call_chain+0x58/0xa0<br /> switchdev_port_attr_notify.constprop.0+0xb3/0x1b0<br /> ? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10<br /> ? mark_held_locks+0x94/0xe0<br /> ? switchdev_deferred_process+0x11a/0x340<br /> switchdev_port_attr_set_deferred+0x27/0xd0<br /> switchdev_deferred_process+0x164/0x340<br /> br_switchdev_port_unoffload+0xc8/0x100 [bridge]<br /> br_switchdev_blocking_event+0x29f/0x580 [bridge]<br /> notifier_call_chain+0xa2/0x440<br /> blocking_notifier_call_chain+0x6e/0xa0<br /> switchdev_bridge_port_unoffload+0xde/0x1a0<br /> ...

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs<br /> <br /> Gen 2 Hyper-V VMs boot via EFI and have a standard EFI framebuffer<br /> device. When the kdump kernel runs in such a VM, loading the efifb<br /> driver may hang because of accessing the framebuffer at the wrong<br /> memory address.<br /> <br /> The scenario occurs when the hyperv_fb driver in the original kernel<br /> moves the framebuffer to a different MMIO address because of conflicts<br /> with an already-running efifb or simplefb driver. The hyperv_fb driver<br /> then informs Hyper-V of the change, which is allowed by the Hyper-V FB<br /> VMBus device protocol. However, when the kexec command loads the kdump<br /> kernel into crash memory via the kexec_file_load() system call, the<br /> system call doesn&amp;#39;t know the framebuffer has moved, and it sets up the<br /> kdump screen_info using the original framebuffer address. The transition<br /> to the kdump kernel does not go through the Hyper-V host, so Hyper-V<br /> does not reset the framebuffer address like it would do on a reboot.<br /> When efifb tries to run, it accesses a non-existent framebuffer<br /> address, which traps to the Hyper-V host. After many such accesses,<br /> the Hyper-V host thinks the guest is being malicious, and throttles<br /> the guest to the point that it runs very slowly or appears to have hung.<br /> <br /> When the kdump kernel is loaded into crash memory via the kexec_load()<br /> system call, the problem does not occur. In this case, the kexec command<br /> builds the screen_info table itself in user space from data returned<br /> by the FBIOGET_FSCREENINFO ioctl against /dev/fb0, which gives it the<br /> new framebuffer location.<br /> <br /> This problem was originally reported in 2020 [1], resulting in commit<br /> 3cb73bc3fa2a ("hyperv_fb: Update screen_info after removing old<br /> framebuffer"). This commit solved the problem by setting orig_video_isVGA<br /> to 0, so the kdump kernel was unaware of the EFI framebuffer. The efifb<br /> driver did not try to load, and no hang occurred. But in 2024, commit<br /> c25a19afb81c ("fbdev/hyperv_fb: Do not clear global screen_info")<br /> effectively reverted 3cb73bc3fa2a. Commit c25a19afb81c has no reference<br /> to 3cb73bc3fa2a, so perhaps it was done without knowing the implications<br /> that were reported with 3cb73bc3fa2a. In any case, as of commit<br /> c25a19afb81c, the original problem came back again.<br /> <br /> Interestingly, the hyperv_drm driver does not have this problem because<br /> it never moves the framebuffer. The difference is that the hyperv_drm<br /> driver removes any conflicting framebuffers *before* allocating an MMIO<br /> address, while the hyperv_fb drivers removes conflicting framebuffers<br /> *after* allocating an MMIO address. With the "after" ordering, hyperv_fb<br /> may encounter a conflict and move the framebuffer to a different MMIO<br /> address. But the conflict is essentially bogus because it is removed<br /> a few lines of code later.<br /> <br /> Rather than fix the problem with the approach from 2020 in commit<br /> 3cb73bc3fa2a, instead slightly reorder the steps in hyperv_fb so<br /> conflicting framebuffers are removed before allocating an MMIO address.<br /> Then the default framebuffer MMIO address should always be available, and<br /> there&amp;#39;s never any confusion about which framebuffer address the kdump<br /> kernel should use -- it&amp;#39;s always the original address provided by<br /> the Hyper-V host. This approach is already used by the hyperv_drm<br /> driver, and is consistent with the usage guidelines at the head of<br /> the module with the function aperture_remove_conflicting_devices().<br /> <br /> This approach also solves a related minor problem when kexec_load()<br /> is used to load the kdump kernel. With current code, unbinding and<br /> rebinding the hyperv_fb driver could result in the framebuffer moving<br /> back to the default framebuffer address, because on the rebind there<br /> are no conflicts. If such a move is done after the kdump kernel is<br /> loaded with the new framebuffer address, at kdump time it could again<br /> have the wrong address.<br /> <br /> This problem and fix are described in terms of the kdump kernel, but<br /> it can also occur<br /> ---truncated---