Vulnerabilities

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system.

OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with `capability_type => 'post'` and `show_in_rest => true`, combined with insufficient input sanitization on the `sky_script_content` meta field and lack of output escaping when rendering scripts on the frontend. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via the REST API that execute on every frontend page for all site visitors.

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root on the server side. Depending on implementation the vulnerability can be exploited by an unauthenticated attacker.

The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.

Apache::Session versions through 1.94 for Perl re-creates deleted sessions.<br /> <br /> The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: esp: avoid in-place decrypt on shared skb frags<br /> <br /> MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP<br /> marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),<br /> so later paths that may modify packet data can first make a private<br /> copy. The IPv4/IPv6 datagram append paths did not set this flag when<br /> splicing pages into UDP skbs.<br /> <br /> That leaves an ESP-in-UDP packet made from shared pipe pages looking<br /> like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW<br /> fast path for uncloned skbs without a frag_list and decrypts in place<br /> over data that is not owned privately by the skb.<br /> <br /> Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching<br /> TCP. Also make ESP input fall back to skb_cow_data() when the flag is<br /> present, so ESP does not decrypt externally backed frags in place.<br /> Private nonlinear skb frags still use the existing fast path.<br /> <br /> This intentionally does not change ESP output. In esp_output_head(),<br /> the path that appends the ESP trailer to existing skb tailroom without<br /> calling skb_cow_data() is not reachable for nonlinear skbs:<br /> skb_tailroom() returns zero when skb-&gt;data_len is nonzero, while ESP<br /> tailen is positive. Thus ESP output will either use the separate<br /> destination-frag path or fall back to skb_cow_data().