Vulnerabilities

An issue was discovered in Biztalk360 before 11.5. Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is able to write files outside of the destination directory and/or coerce an authentication from the service, aka Directory Traversal.

An issue was discovered in Biztalk360 through 11.5. because of mishandling of user-provided input in a path to be read by the server, a Super User attacker is able to read files on the system and/or coerce an authentication from the service, aka Directory Traversal.

A security flaw has been discovered in Casdoor 2.356.0. This affects the function dangerouslySetInnerHTML. Performing a manipulation of the argument formCss/formCssMobile/formSideHtml results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wlcore: Fix a locking bug<br /> <br /> Make sure that wl-&gt;mutex is locked before it is unlocked. This has been<br /> detected by the Clang thread-safety analyzer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/configfs: Free ctx_restore_mid_bb in release<br /> <br /> ctx_restore_mid_bb memory is allocated in wa_bb_store(), but<br /> xe_config_device_release() only frees ctx_restore_post_bb.<br /> <br /> Free ctx_restore_mid_bb[0].cs as well to avoid leaking the allocation<br /> when the configfs device is removed.<br /> <br /> (cherry picked from commit a235e7d0098337c3f2d1e8f3610c719a589e115f)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler<br /> <br /> Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ<br /> handler") introduces a range check for if_id to avoid an out-of-bounds<br /> access. If an out-of-bounds if_id is detected, the interrupt status is<br /> not cleared. This may result in an interrupt storm.<br /> <br /> Clear the interrupt status after detecting an out-of-bounds if_id to avoid<br /> the problem.<br /> <br /> Found by an experimental AI code review agent at Google.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: free pages on error in btrfs_uring_read_extent()<br /> <br /> In this function the &amp;#39;pages&amp;#39; object is never freed in the hopes that it is<br /> picked up by btrfs_uring_read_finished() whenever that executes in the<br /> future. But that&amp;#39;s just the happy path. Along the way previous<br /> allocations might have gone wrong, or we might not get -EIOCBQUEUED from<br /> btrfs_encoded_read_regular_fill_pages(). In all these cases, we go to a<br /> cleanup section that frees all memory allocated by this function without<br /> assuming any deferred execution, and this also needs to happen for the<br /> &amp;#39;pages&amp;#39; allocation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> accel/amdxdna: Validate command buffer payload count<br /> <br /> The count field in the command header is used to determine the valid<br /> payload size. Verify that the valid payload does not exceed the remaining<br /> buffer space.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: arm64: Fix ID register initialization for non-protected pKVM guests<br /> <br /> In protected mode, the hypervisor maintains a separate instance of<br /> the `kvm` structure for each VM. For non-protected VMs, this structure is<br /> initialized from the host&amp;#39;s `kvm` state.<br /> <br /> Currently, `pkvm_init_features_from_host()` copies the<br /> `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the<br /> underlying `id_regs` data being initialized. This results in the<br /> hypervisor seeing the flag as set while the ID registers remain zeroed.<br /> <br /> Consequently, `kvm_has_feat()` checks at EL2 fail (return 0) for<br /> non-protected VMs. This breaks logic that relies on feature detection,<br /> such as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain<br /> system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not<br /> saved/restored during the world switch, which could lead to state<br /> corruption.<br /> <br /> Fix this by explicitly copying the ID registers from the host `kvm` to<br /> the hypervisor `kvm` for non-protected VMs during initialization, since<br /> we trust the host with its non-protected guests&amp;#39; features. Also ensure<br /> `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in<br /> `pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly<br /> initialize them and set the flag once done.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()<br /> <br /> The logicvc_drm_config_parse() function calls of_get_child_by_name() to<br /> find the "layers" node but fails to release the reference, leading to a<br /> device node reference leak.<br /> <br /> Fix this by using the __free(device_node) cleanup attribute to automatic<br /> release the reference when the variable goes out of scope.