Vulnerabilities

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been classified as critical. This affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> atm: Fix NULL pointer dereference<br /> <br /> When MPOA_cache_impos_rcvd() receives the msg, it can trigger<br /> Null Pointer Dereference Vulnerability if both entry and<br /> holding_time are NULL. Because there is only for the situation<br /> where entry is NULL and holding_time exists, it can be passed<br /> when both entry and holding_time are NULL. If these are NULL,<br /> the entry will be passd to eg_cache_put() as parameter and<br /> it is referenced by entry-&gt;use code in it.<br /> <br /> kasan log:<br /> <br /> [ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I<br /> [ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> [ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102<br /> [ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> [ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470<br /> [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80<br /> [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006<br /> [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e<br /> [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030<br /> [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88<br /> [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15<br /> [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068<br /> [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000<br /> [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0<br /> [ 3.326430] Call Trace:<br /> [ 3.326725] <br /> [ 3.326927] ? die_addr+0x3c/0xa0<br /> [ 3.327330] ? exc_general_protection+0x161/0x2a0<br /> [ 3.327662] ? asm_exc_general_protection+0x26/0x30<br /> [ 3.328214] ? vprintk_emit+0x15e/0x420<br /> [ 3.328543] ? eg_cache_remove_entry+0xa5/0x470<br /> [ 3.328910] ? eg_cache_remove_entry+0x9a/0x470<br /> [ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10<br /> [ 3.329664] ? console_unlock+0x107/0x1d0<br /> [ 3.329946] ? __pfx_console_unlock+0x10/0x10<br /> [ 3.330283] ? do_syscall_64+0xa6/0x1a0<br /> [ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f<br /> [ 3.331090] ? __pfx_prb_read_valid+0x10/0x10<br /> [ 3.331395] ? down_trylock+0x52/0x80<br /> [ 3.331703] ? vprintk_emit+0x15e/0x420<br /> [ 3.331986] ? __pfx_vprintk_emit+0x10/0x10<br /> [ 3.332279] ? down_trylock+0x52/0x80<br /> [ 3.332527] ? _printk+0xbf/0x100<br /> [ 3.332762] ? __pfx__printk+0x10/0x10<br /> [ 3.333007] ? _raw_write_lock_irq+0x81/0xe0<br /> [ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10<br /> [ 3.333614] msg_from_mpoad+0x1185/0x2750<br /> [ 3.333893] ? __build_skb_around+0x27b/0x3a0<br /> [ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10<br /> [ 3.334501] ? __alloc_skb+0x1c0/0x310<br /> [ 3.334809] ? __pfx___alloc_skb+0x10/0x10<br /> [ 3.335283] ? _raw_spin_lock+0xe0/0xe0<br /> [ 3.335632] ? finish_wait+0x8d/0x1e0<br /> [ 3.335975] vcc_sendmsg+0x684/0xba0<br /> [ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10<br /> [ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10<br /> [ 3.337056] ? fdget+0x176/0x3e0<br /> [ 3.337348] __sys_sendto+0x4a2/0x510<br /> [ 3.337663] ? __pfx___sys_sendto+0x10/0x10<br /> [ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400<br /> [ 3.338364] ? sock_ioctl+0x1bb/0x5a0<br /> [ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20<br /> [ 3.339017] ? __pfx_sock_ioctl+0x10/0x10<br /> [ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10<br /> [ 3.339727] ? selinux_file_ioctl+0xa4/0x260<br /> [ 3.340166] __x64_sys_sendto+0xe0/0x1c0<br /> [ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140<br /> [ 3.340898] do_syscall_64+0xa6/0x1a0<br /> [ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 3.341533] RIP: 0033:0x44a380<br /> [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00<br /> [ <br /> ---truncated---

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513 and classified as critical. Affected by this issue is the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in TOTOLINK A3700R 9.1.2u.5822_B20200513 and classified as critical. Affected by this vulnerability is the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information leakage risk.

A vulnerability, which was classified as critical, has been found in TOTOLINK A3700R 9.1.2u.5822_B20200513. This issue affects the function setWiFiEasyCfg/setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component Password Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The User Profile Builder – Beautiful User Registration Forms, User Profiles &amp; User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.<br /> The issue was partially patched in version 3.13.6 of the plugin, and fully patched in 3.13.7.

Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.

Dell Alienware Command Center 6.x, versions prior to 6.7.37.0 contain an Improper Access Control Vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.

EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5.