Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: esp: avoid in-place decrypt on shared skb frags<br /> <br /> MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP<br /> marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),<br /> so later paths that may modify packet data can first make a private<br /> copy. The IPv4/IPv6 datagram append paths did not set this flag when<br /> splicing pages into UDP skbs.<br /> <br /> That leaves an ESP-in-UDP packet made from shared pipe pages looking<br /> like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW<br /> fast path for uncloned skbs without a frag_list and decrypts in place<br /> over data that is not owned privately by the skb.<br /> <br /> Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching<br /> TCP. Also make ESP input fall back to skb_cow_data() when the flag is<br /> present, so ESP does not decrypt externally backed frags in place.<br /> Private nonlinear skb frags still use the existing fast path.<br /> <br /> This intentionally does not change ESP output. In esp_output_head(),<br /> the path that appends the ESP trailer to existing skb tailroom without<br /> calling skb_cow_data() is not reachable for nonlinear skbs:<br /> skb_tailroom() returns zero when skb-&gt;data_len is nonzero, while ESP<br /> tailen is positive. Thus ESP output will either use the separate<br /> destination-frag path or fall back to skb_cow_data().

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

Apache::Session versions through 1.94 for Perl re-creates deleted sessions.<br /> <br /> The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.

PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f.<br /> <br /> This vulnerability is associated with program files gcm128w, gcm512w.<br /> <br /> <br /> <br /> This issue affects BC-FJA: from 2.1.0 through 2.1.2.

The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks.

In OpenStack Ironic through 35.x, instance_info[&amp;#39;ks_template&amp;#39;] is rendered without sandboxing.

1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.

An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.

RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration.

AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.