Vulnerabilities

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests.

A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.

An authentication bypass vulnerability exists in Open-WebUI

In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.

A vulnerability was identified in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_retailer.php. The manipulation of the argument cmbAreaCode leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

A security flaw has been discovered in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/wirelessRestart of the component HTTP Request Handler. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited.

Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse.This issue affects SoliClub: before 5.3.7.

Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: ucsi: fix use-after-free caused by uec-&gt;work<br /> <br /> The delayed work uec-&gt;work is scheduled in gaokun_ucsi_probe()<br /> but never properly canceled in gaokun_ucsi_remove(). This creates<br /> use-after-free scenarios where the ucsi and gaokun_ucsi structure<br /> are freed after ucsi_destroy() completes execution, while the<br /> gaokun_ucsi_register_worker() might be either currently executing<br /> or still pending in the work queue. The already-freed gaokun_ucsi<br /> or ucsi structure may then be accessed.<br /> <br /> Furthermore, the race window is 3 seconds, which is sufficiently<br /> long to make this bug easily reproducible. The following is the<br /> trace captured by KASAN:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630<br /> Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0<br /> ...<br /> Call trace:<br /> show_stack+0x18/0x24 (C)<br /> dump_stack_lvl+0x78/0x90<br /> print_report+0x114/0x580<br /> kasan_report+0xa4/0xf0<br /> __asan_report_store8_noabort+0x20/0x2c<br /> __run_timers+0x5ec/0x630<br /> run_timer_softirq+0xe8/0x1cc<br /> handle_softirqs+0x294/0x720<br /> __do_softirq+0x14/0x20<br /> ____do_softirq+0x10/0x1c<br /> call_on_irq_stack+0x30/0x48<br /> do_softirq_own_stack+0x1c/0x28<br /> __irq_exit_rcu+0x27c/0x364<br /> irq_exit_rcu+0x10/0x1c<br /> el1_interrupt+0x40/0x60<br /> el1h_64_irq_handler+0x18/0x24<br /> el1h_64_irq+0x6c/0x70<br /> arch_local_irq_enable+0x4/0x8 (P)<br /> do_idle+0x334/0x458<br /> cpu_startup_entry+0x60/0x70<br /> rest_init+0x158/0x174<br /> start_kernel+0x2f8/0x394<br /> __primary_switched+0x8c/0x94<br /> <br /> Allocated by task 72 on cpu 0 at 27.510341s:<br /> kasan_save_stack+0x2c/0x54<br /> kasan_save_track+0x24/0x5c<br /> kasan_save_alloc_info+0x40/0x54<br /> __kasan_kmalloc+0xa0/0xb8<br /> __kmalloc_node_track_caller_noprof+0x1c0/0x588<br /> devm_kmalloc+0x7c/0x1c8<br /> gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8<br /> really_probe+0x17c/0x5b8<br /> __driver_probe_device+0x158/0x2c4<br /> driver_probe_device+0x10c/0x264<br /> __device_attach_driver+0x168/0x2d0<br /> bus_for_each_drv+0x100/0x188<br /> __device_attach+0x174/0x368<br /> device_initial_probe+0x14/0x20<br /> bus_probe_device+0x120/0x150<br /> device_add+0xb3c/0x10fc<br /> __auxiliary_device_add+0x88/0x130<br /> ...<br /> <br /> Freed by task 73 on cpu 1 at 28.910627s:<br /> kasan_save_stack+0x2c/0x54<br /> kasan_save_track+0x24/0x5c<br /> __kasan_save_free_info+0x4c/0x74<br /> __kasan_slab_free+0x60/0x8c<br /> kfree+0xd4/0x410<br /> devres_release_all+0x140/0x1f0<br /> device_unbind_cleanup+0x20/0x190<br /> device_release_driver_internal+0x344/0x460<br /> device_release_driver+0x18/0x24<br /> bus_remove_device+0x198/0x274<br /> device_del+0x310/0xa84<br /> ...<br /> <br /> The buggy address belongs to the object at ffff00000ec28c00<br /> which belongs to the cache kmalloc-512 of size 512<br /> The buggy address is located 200 bytes inside of<br /> freed 512-byte region<br /> The buggy address belongs to the physical page:<br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28<br /> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)<br /> page_type: f5(slab)<br /> raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000<br /> raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000<br /> head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000<br /> head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000<br /> head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff<br /> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt;ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ================================================================<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: imm: Fix use-after-free bug caused by unfinished delayed work<br /> <br /> The delayed work item &amp;#39;imm_tq&amp;#39; is initialized in imm_attach() and<br /> scheduled via imm_queuecommand() for processing SCSI commands. When the<br /> IMM parallel port SCSI host adapter is detached through imm_detach(),<br /> the imm_struct device instance is deallocated.<br /> <br /> However, the delayed work might still be pending or executing<br /> when imm_detach() is called, leading to use-after-free bugs<br /> when the work function imm_interrupt() accesses the already<br /> freed imm_struct memory.<br /> <br /> The race condition can occur as follows:<br /> <br /> CPU 0(detach thread) | CPU 1<br /> | imm_queuecommand()<br /> | imm_queuecommand_lck()<br /> imm_detach() | schedule_delayed_work()<br /> kfree(dev) //FREE | imm_interrupt()<br /> | dev = container_of(...) //USE<br /> dev-&gt; //USE<br /> <br /> Add disable_delayed_work_sync() in imm_detach() to guarantee proper<br /> cancellation of the delayed work item before imm_struct is deallocated.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop<br /> <br /> In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen<br /> and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes<br /> that the parent qdisc will enqueue the current packet. However, this<br /> assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent<br /> qdisc stops enqueuing current packet, leaving the tree qlen/backlog<br /> accounting inconsistent. This mismatch can lead to a NULL dereference<br /> (e.g., when the parent Qdisc is qfq_qdisc).<br /> <br /> This patch computes the qlen/backlog delta in a more robust way by<br /> observing the difference before and after the series of cake_drop()<br /> calls, and then compensates the qdisc tree accounting if cake_enqueue()<br /> returns NET_XMIT_CN.<br /> <br /> To ensure correct compensation when ACK thinning is enabled, a new<br /> variable is introduced to keep qlen unchanged.