Vulnerabilities

A flaw has been found in code-projects Responsive Hotel Site 1.0. The affected element is an unknown function of the file /admin/usersetting.php. Executing manipulation of the argument usname can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Versions prior to 2.45.1 have an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks. The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration. Version 2.45.1 contains a fix for the issue.

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.

cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In cups-filters prior to 1.28.18, by crafting a PDF file with a large `MediaBox` value, an attacker can cause CUPS-Filter 1.x’s `pdftoraster` tool to write beyond the bounds of an array. First, a PDF with a large `MediaBox` width value causes `header.cupsWidth` to become large. Next, the calculation of `bytesPerLine = (header.cupsBitsPerPixel * header.cupsWidth + 7) / 8` overflows, resulting in a small value. Then, `lineBuf` is allocated with the small `bytesPerLine` size. Finally, `convertLineChunked` calls `writePixel8`, which attempts to write to `lineBuf` outside of its buffer size (out of bounds write). In libcupsfilters, the maintainers found the same `bytesPerLine` multiplication without overflow check, but the provided test case does not cause an overflow there, because the values are different. Commit 50d94ca0f2fa6177613c97c59791bde568631865 contains a patch, which is incorporated into cups-filters version 1.28.18.

sudo-rs is a memory safe implementation of sudo and su written in Rust. With `Defaults targetpw` (or `Defaults rootpw`) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs starting in version 0.2.5 and prior to version 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options. Version 0.2.10 contains a patch for the issue. Versions prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`.

Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.

DuckDB is a SQL database management system. DuckDB implemented block-based encryption of DB on the filesystem starting with DuckDB 1.4.0. There are a few issues related to this implementation. The DuckDB can fall back to an insecure random number generator (pcg32) to generate cryptographic keys or IVs. When clearing keys from memory, the compiler may remove the memset() and leave sensitive data on the heap. By modifying the database header, an attacker could downgrade the encryption mode from GCM to CTR to bypass integrity checks. There may be a failure to check return value on call to OpenSSL `rand_bytes()`. An attacker could use public IVs to compromise the internal state of RNG and determine the randomly generated key used to encrypt temporary files, get access to cryptographic keys if they have access to process memory (e.g. through memory leak),circumvent GCM integrity checks, and/or influence the OpenSSL random number generator and DuckDB would not be able to detect a failure of the generator. Version 1.4.2 has disabled the insecure random number generator by no longer using the fallback to write to or create databases. Instead, DuckDB will now attempt to install and load the OpenSSL implementation in the `httpfs` extension. DuckDB now uses secure MbedTLS primitive to clear memory as recommended and requires explicit specification of ciphers without integrity checks like CTR on `ATTACH`. Additionally, DuckDB now checks the return code.

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9 don't have cross-site request forgery protections in the file release system. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1762267347, Tuleap Enterprise Edition 17.0-1, Tuleap Enterprise Edition 16.13-6, and Tuleap Enterprise Edition 16.12-9 fix the issue.

A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the application's message system. Unsanitized message content submitted by one user is persisted by the server and later rendered in another user's Inbox view without appropriate context-aware encoding. As a result, attacker-controlled content executes in the recipient's browser context when the Inbox message is viewed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()<br /> <br /> v4l2_subdev_call_state_try() macro allocates a subdev state with<br /> __v4l2_subdev_state_alloc(), but does not check the returned value. If<br /> __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would<br /> cause v4l2_subdev_call_state_try() to crash.<br /> <br /> Add proper error handling to v4l2_subdev_call_state_try().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: iris: fix module removal if firmware download failed<br /> <br /> Fix remove if firmware failed to load:<br /> qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2<br /> qcom-iris aa00000.video-codec: firmware download failed<br /> qcom-iris aa00000.video-codec: core init failed<br /> <br /> then:<br /> $ echo aa00000.video-codec &gt; /sys/bus/platform/drivers/qcom-iris/unbind<br /> <br /> Triggers:<br /> genpd genpd:1:aa00000.video-codec: Runtime PM usage count underflow!<br /> ------------[ cut here ]------------<br /> video_cc_mvs0_clk already disabled<br /> WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#1: sh/542<br /> <br /> pc : clk_core_disable+0xa4/0xac<br /> lr : clk_core_disable+0xa4/0xac<br /> <br /> Call trace:<br /> clk_core_disable+0xa4/0xac (P)<br /> clk_disable+0x30/0x4c<br /> iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]<br /> iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]<br /> iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]<br /> iris_vpu_power_off+0x34/0x84 [qcom_iris]<br /> iris_core_deinit+0x44/0xc8 [qcom_iris]<br /> iris_remove+0x20/0x48 [qcom_iris]<br /> platform_remove+0x20/0x30<br /> device_remove+0x4c/0x80<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> ------------[ cut here ]------------<br /> video_cc_mvs0_clk already unprepared<br /> WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#2: sh/542<br /> <br /> pc : clk_core_unprepare+0xf0/0x110<br /> lr : clk_core_unprepare+0xf0/0x110<br /> <br /> Call trace:<br /> clk_core_unprepare+0xf0/0x110 (P)<br /> clk_unprepare+0x2c/0x44<br /> iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]<br /> iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]<br /> iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]<br /> iris_vpu_power_off+0x34/0x84 [qcom_iris]<br /> iris_core_deinit+0x44/0xc8 [qcom_iris]<br /> iris_remove+0x20/0x48 [qcom_iris]<br /> platform_remove+0x20/0x30<br /> device_remove+0x4c/0x80<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> genpd genpd:0:aa00000.video-codec: Runtime PM usage count underflow!<br /> ------------[ cut here ]------------<br /> gcc_video_axi0_clk already disabled<br /> WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#4: sh/542<br /> <br /> pc : clk_core_disable+0xa4/0xac<br /> lr : clk_core_disable+0xa4/0xac<br /> <br /> Call trace:<br /> clk_core_disable+0xa4/0xac (P)<br /> clk_disable+0x30/0x4c<br /> iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]<br /> iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]<br /> iris_vpu_power_off+0x48/0x84 [qcom_iris]<br /> iris_core_deinit+0x44/0xc8 [qcom_iris]<br /> iris_remove+0x20/0x48 [qcom_iris]<br /> platform_remove+0x20/0x30<br /> device_remove+0x4c/0x80<br /> <br /> ------------[ cut here ]------------<br /> gcc_video_axi0_clk already unprepared<br /> WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#4: sh/542<br /> <br /> pc : clk_core_unprepare+0xf0/0x110<br /> lr : clk_core_unprepare+0xf0/0x110<br /> <br /> Call trace:<br /> clk_core_unprepare+0xf0/0x110 (P)<br /> clk_unprepare+0x2c/0x44<br /> iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]<br /> iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]<br /> iris_vpu_power_off+0x48/0x84 [qcom_iris]<br /> iris_core_deinit+0x44/0xc8 [qcom_iris]<br /> iris_remove+0x20/0x48 [qcom_iris]<br /> platform_remove+0x20/0x30<br /> device_remove+0x4c/0x80<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Skip deinit if initialization never succeeded.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches<br /> <br /> Helge reported that the introduction of PP_MAGIC_MASK let to crashes on<br /> boot on his 32-bit parisc machine. The cause of this is the mask is set<br /> too wide, so the page_pool_page_is_pp() incurs false positives which<br /> crashes the machine.<br /> <br /> Just disabling the check in page_pool_is_pp() will lead to the page_pool<br /> code itself malfunctioning; so instead of doing this, this patch changes<br /> the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel<br /> pointers for page_pool-tagged pages.<br /> <br /> The fix relies on the kernel pointers that alias with the pp_magic field<br /> always being above PAGE_OFFSET. With this assumption, we can use the<br /> lowest bit of the value of PAGE_OFFSET as the upper bound of the<br /> PP_DMA_INDEX_MASK, which should avoid the false positives.<br /> <br /> Because we cannot rely on PAGE_OFFSET always being a compile-time<br /> constant, nor on it always being &gt;0, we fall back to disabling the<br /> dma_index storage when there are not enough bits available. This leaves<br /> us in the situation we were in before the patch in the Fixes tag, but<br /> only on a subset of architecture configurations. This seems to be the<br /> best we can do until the transition to page types in complete for<br /> page_pool pages.<br /> <br /> v2:<br /> - Make sure there&amp;#39;s at least 8 bits available and that the PAGE_OFFSET<br /> bit calculation doesn&amp;#39;t wrap