Vulnerabilities

IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting in remote code execution. In addition, improper input validation allows for arbitrary file write and server-side request forgery (SSRF), enabling interaction with internal or external systems. Successful exploitation can lead to full server compromise, unauthorized access to sensitive data, and further network exploitation.

Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set system commands using doSystemCmd, without validating or sanitizing special characters (e.g., ;, ", #). An unauthenticated or authenticated attacker can exploit this by submitting a crafted POST request, leading to arbitrary system command execution on the affected device.

AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery (SSRF) vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows . Although the initial URL is validated to allow only HTTP/HTTPS with default ports, the extractor automatically follows redirects and does not block requests to loopback or internal IP ranges. An authenticated, low-privileged user can exploit this behavior to coerce the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports. If the target host serves a favicon or any other valid image, the response is returned to the attacker in Base64 form. Even when no data is returned, timing and error behavior can be abused to map internal services. This vulnerability only affects self-hosted AliasVault instances that are reachable from the public internet with public user registration enabled. Private/internal deployments without public sign-ups are not directly exploitable. This issue has been fixed in AliasVault release 0.23.1.

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.

CMSEasy v7.7.8.0 and before is vulnerable to Arbitrary file deletion in database_admin.php.

Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in backend/src/applications/files/services/files-manager.service.ts, and FilesManager.compress function in backend/src/applications/files/services/files-manager.service.ts.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: vhci: Prevent use-after-free by removing debugfs files early<br /> <br /> Move the creation of debugfs files into a dedicated function, and ensure<br /> they are explicitly removed during vhci_release(), before associated<br /> data structures are freed.<br /> <br /> Previously, debugfs files such as "force_suspend", "force_wakeup", and<br /> others were created under hdev-&gt;debugfs but not removed in<br /> vhci_release(). Since vhci_release() frees the backing vhci_data<br /> structure, any access to these files after release would result in<br /> use-after-free errors.<br /> <br /> Although hdev-&gt;debugfs is later freed in hci_release_dev(), user can<br /> access files after vhci_data is freed but before hdev-&gt;debugfs is<br /> released.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7915: fix list corruption after hardware restart<br /> <br /> Since stations are recreated from scratch, all lists that wcids are added<br /> to must be cleared before calling ieee80211_restart_hw.<br /> Set wcid-&gt;sta = 0 for each wcid entry in order to ensure that they are<br /> not added again before they are ready.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work<br /> <br /> The brcmf_btcoex_detach() only shuts down the btcoex timer, if the<br /> flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which<br /> runs as timer handler, sets timer_on to false. This creates critical<br /> race conditions:<br /> <br /> 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()<br /> is executing, it may observe timer_on as false and skip the call to<br /> timer_shutdown_sync().<br /> <br /> 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info<br /> worker after the cancel_work_sync() has been executed, resulting in<br /> use-after-free bugs.<br /> <br /> The use-after-free bugs occur in two distinct scenarios, depending on<br /> the timing of when the brcmf_btcoex_info struct is freed relative to<br /> the execution of its worker thread.<br /> <br /> Scenario 1: Freed before the worker is scheduled<br /> <br /> The brcmf_btcoex_info is deallocated before the worker is scheduled.<br /> A race condition can occur when schedule_work(&amp;bt_local-&gt;work) is<br /> called after the target memory has been freed. The sequence of events<br /> is detailed below:<br /> <br /> CPU0 | CPU1<br /> brcmf_btcoex_detach | brcmf_btcoex_timerfunc<br /> | bt_local-&gt;timer_on = false;<br /> if (cfg-&gt;btcoex-&gt;timer_on) |<br /> ... |<br /> cancel_work_sync(); |<br /> ... |<br /> kfree(cfg-&gt;btcoex); // FREE |<br /> | schedule_work(&amp;bt_local-&gt;work); // USE<br /> <br /> Scenario 2: Freed after the worker is scheduled<br /> <br /> The brcmf_btcoex_info is freed after the worker has been scheduled<br /> but before or during its execution. In this case, statements within<br /> the brcmf_btcoex_handler() — such as the container_of macro and<br /> subsequent dereferences of the brcmf_btcoex_info object will cause<br /> a use-after-free access. The following timeline illustrates this<br /> scenario:<br /> <br /> CPU0 | CPU1<br /> brcmf_btcoex_detach | brcmf_btcoex_timerfunc<br /> | bt_local-&gt;timer_on = false;<br /> if (cfg-&gt;btcoex-&gt;timer_on) |<br /> ... |<br /> cancel_work_sync(); |<br /> ... | schedule_work(); // Reschedule<br /> |<br /> kfree(cfg-&gt;btcoex); // FREE | brcmf_btcoex_handler() // Worker<br /> /* | btci = container_of(....); // USE<br /> The kfree() above could | ...<br /> also occur at any point | btci-&gt; // USE<br /> during the worker&amp;#39;s execution|<br /> */ |<br /> <br /> To resolve the race conditions, drop the conditional check and call<br /> timer_shutdown_sync() directly. It can deactivate the timer reliably,<br /> regardless of its current state. Once stopped, the timer_on state is<br /> then set to false.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: cfg80211: fix use-after-free in cmp_bss()<br /> <br /> Following bss_free() quirk introduced in commit 776b3580178f<br /> ("cfg80211: track hidden SSID networks properly"), adjust<br /> cfg80211_update_known_bss() to free the last beacon frame<br /> elements only if they&amp;#39;re not shared via the corresponding<br /> &amp;#39;hidden_beacon_bss&amp;#39; pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tee: fix NULL pointer dereference in tee_shm_put<br /> <br /> tee_shm_put have NULL pointer dereference:<br /> <br /> __optee_disable_shm_cache --&gt;<br /> shm = reg_pair_to_ptr(...);//shm maybe return NULL<br /> tee_shm_free(shm); --&gt;<br /> tee_shm_put(shm);//crash<br /> <br /> Add check in tee_shm_put to fix it.<br /> <br /> panic log:<br /> Unable to handle kernel paging request at virtual address 0000000000100cca<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000<br /> [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000<br /> Internal error: Oops: 0000000096000004 [#1] SMP<br /> CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----<br /> 6.6.0-39-generic #38<br /> Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07<br /> Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0<br /> 10/26/2022<br /> pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : tee_shm_put+0x24/0x188<br /> lr : tee_shm_free+0x14/0x28<br /> sp : ffff001f98f9faf0<br /> x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000<br /> x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048<br /> x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88<br /> x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff<br /> x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003<br /> x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101<br /> x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c<br /> x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000<br /> x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca<br /> Call trace:<br /> tee_shm_put+0x24/0x188<br /> tee_shm_free+0x14/0x28<br /> __optee_disable_shm_cache+0xa8/0x108<br /> optee_shutdown+0x28/0x38<br /> platform_shutdown+0x28/0x40<br /> device_shutdown+0x144/0x2b0<br /> kernel_power_off+0x3c/0x80<br /> hibernate+0x35c/0x388<br /> state_store+0x64/0x80<br /> kobj_attr_store+0x14/0x28<br /> sysfs_kf_write+0x48/0x60<br /> kernfs_fop_write_iter+0x128/0x1c0<br /> vfs_write+0x270/0x370<br /> ksys_write+0x6c/0x100<br /> __arm64_sys_write+0x20/0x30<br /> invoke_syscall+0x4c/0x120<br /> el0_svc_common.constprop.0+0x44/0xf0<br /> do_el0_svc+0x24/0x38<br /> el0_svc+0x24/0x88<br /> el0t_64_sync_handler+0x134/0x150<br /> el0t_64_sync+0x14c/0x15