Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netem: Update sch-&gt;q.qlen before qdisc_tree_reduce_backlog()<br /> <br /> qdisc_tree_reduce_backlog() notifies parent qdisc only if child<br /> qdisc becomes empty, therefore we need to reduce the backlog of the<br /> child qdisc before calling it. Otherwise it would miss the opportunity<br /> to call cops-&gt;qlen_notify(), in the case of DRR, it resulted in UAF<br /> since DRR uses -&gt;qlen_notify() to maintain its active list.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pfifo_tail_enqueue: Drop new packet when sch-&gt;limit == 0<br /> <br /> Expected behaviour:<br /> In case we reach scheduler&amp;#39;s limit, pfifo_tail_enqueue() will drop a<br /> packet in scheduler&amp;#39;s queue and decrease scheduler&amp;#39;s qlen by one.<br /> Then, pfifo_tail_enqueue() enqueue new packet and increase<br /> scheduler&amp;#39;s qlen by one. Finally, pfifo_tail_enqueue() return<br /> `NET_XMIT_CN` status code.<br /> <br /> Weird behaviour:<br /> In case we set `sch-&gt;limit == 0` and trigger pfifo_tail_enqueue() on a<br /> scheduler that has no packet, the &amp;#39;drop a packet&amp;#39; step will do nothing.<br /> This means the scheduler&amp;#39;s qlen still has value equal 0.<br /> Then, we continue to enqueue new packet and increase scheduler&amp;#39;s qlen by<br /> one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by<br /> one and return `NET_XMIT_CN` status code.<br /> <br /> The problem is:<br /> Let&amp;#39;s say we have two qdiscs: Qdisc_A and Qdisc_B.<br /> - Qdisc_A&amp;#39;s type must have &amp;#39;-&gt;graft()&amp;#39; function to create parent/child relationship.<br /> Let&amp;#39;s say Qdisc_A&amp;#39;s type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.<br /> - Qdisc_B&amp;#39;s type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.<br /> - Qdisc_B is configured to have `sch-&gt;limit == 0`.<br /> - Qdisc_A is configured to route the enqueued&amp;#39;s packet to Qdisc_B.<br /> <br /> Enqueue packet through Qdisc_A will lead to:<br /> - hfsc_enqueue(Qdisc_A) -&gt; pfifo_tail_enqueue(Qdisc_B)<br /> - Qdisc_B-&gt;q.qlen += 1<br /> - pfifo_tail_enqueue() return `NET_XMIT_CN`<br /> - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` =&gt; hfsc_enqueue() don&amp;#39;t increase qlen of Qdisc_A.<br /> <br /> The whole process lead to a situation where Qdisc_A-&gt;q.qlen == 0 and Qdisc_B-&gt;q.qlen == 1.<br /> Replace &amp;#39;hfsc&amp;#39; with other type (for example: &amp;#39;drr&amp;#39;) still lead to the same problem.<br /> This violate the design where parent&amp;#39;s qlen should equal to the sum of its childrens&amp;#39;qlen.<br /> <br /> Bug impact: This issue can be used for user-&gt;kernel privilege escalation when it is reachable.

A vulnerability in the D-Link DIR-859 router with firmware version A3 1.05 and earlier permits unauthorized individuals to bypass the authentication. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page.

A vulnerability in the Netgear DGN2200 router with firmware version v1.0.0.46 and earlier permits unauthorized individuals to bypass the authentication. When adding "?x=1.gif" to the the requested url, it will be recognized as passing the authentication.

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-11714. Reason: This candidate is a reservation duplicate of CVE-2018-11714. Notes: All CVE users should reference CVE-2018-11714 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables."

The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

URL Redirection to Untrusted Site (&amp;#39;Open Redirect&amp;#39;) vulnerability in HAVELSAN Liman MYS allows Cross-Site Flashing.This issue affects Liman MYS: before 2.1.1 - 1010.

Memory safety bugs present in Firefox 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 135.0.1.

Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.This issue affects KLog Server: before 3.1.1.

The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.