Vulnerabilities

The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

An Improper Check for Unusual or Exceptional Conditions vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a remote unauthenticated attacker to send specially crafted requests in-order-to cause service disruptions.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_pipapo: do not free live element<br /> <br /> Pablo reports a crash with large batches of elements with a<br /> back-to-back add/remove pattern. Quoting Pablo:<br /> <br /> add_elem("00000000") timeout 100 ms<br /> ...<br /> add_elem("0000000X") timeout 100 ms<br /> del_elem("0000000X")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: check offset alignment in binder_get_object()<br /> <br /> Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying<br /> txn") introduced changes to how binder objects are copied. In doing so,<br /> it unintentionally removed an offset alignment check done through calls<br /> to binder_alloc_copy_from_buffer() -&gt; check_buffer().<br /> <br /> These calls were replaced in binder_get_object() with copy_from_user(),<br /> so now an explicit offset alignment check is needed here. This avoids<br /> later complications when unwinding the objects gets harder.<br /> <br /> It is worth noting this check existed prior to commit 7a67a39320df<br /> ("binder: add function to copy binder object from buffer"), likely<br /> removed due to redundancy at the time.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: Fix garbage collector racing against connect()<br /> <br /> Garbage collector does not take into account the risk of embryo getting<br /> enqueued during the garbage collection. If such embryo has a peer that<br /> carries SCM_RIGHTS, two consecutive passes of scan_children() may see a<br /> different set of children. Leading to an incorrectly elevated inflight<br /> count, and then a dangling pointer within the gc_inflight_list.<br /> <br /> sockets are AF_UNIX/SOCK_STREAM<br /> S is an unconnected socket<br /> L is a listening in-flight socket bound to addr, not in fdtable<br /> V&amp;#39;s fd will be passed via sendmsg(), gets inflight count bumped<br /> <br /> connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc()<br /> ---------------- ------------------------- -----------<br /> <br /> NS = unix_create1()<br /> skb1 = sock_wmalloc(NS)<br /> L = unix_find_other(addr)<br /> unix_state_lock(L)<br /> unix_peer(S) = NS<br /> // V count=1 inflight=0<br /> <br /> NS = unix_peer(S)<br /> skb2 = sock_alloc()<br /> skb_queue_tail(NS, skb2[V])<br /> <br /> // V became in-flight<br /> // V count=2 inflight=1<br /> <br /> close(V)<br /> <br /> // V count=1 inflight=1<br /> // GC candidate condition met<br /> <br /> for u in gc_inflight_list:<br /> if (total_refs == inflight_refs)<br /> add u to gc_candidates<br /> <br /> // gc_candidates={L, V}<br /> <br /> for u in gc_candidates:<br /> scan_children(u, dec_inflight)<br /> <br /> // embryo (skb1) was not<br /> // reachable from L yet, so V&amp;#39;s<br /> // inflight remains unchanged<br /> __skb_queue_tail(L, skb1)<br /> unix_state_unlock(L)<br /> for u in gc_candidates:<br /> if (u.inflight)<br /> scan_children(u, inc_inflight_move_tail)<br /> <br /> // V count=1 inflight=2 (!)<br /> <br /> If there is a GC-candidate listening socket, lock/unlock its state. This<br /> makes GC wait until the end of any ongoing connect() to that socket. After<br /> flipping the lock, a possibly SCM-laden embryo is already enqueued. And if<br /> there is another embryo coming, it can not possibly carry SCM_RIGHTS. At<br /> this point, unix_inflight() can not happen because unix_gc_lock is already<br /> taken. Inflight graph remains unaffected.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path<br /> <br /> The commit mutex should not be released during the critical section<br /> between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC<br /> worker could collect expired objects and get the released commit lock<br /> within the same GC sequence.<br /> <br /> nf_tables_module_autoload() temporarily releases the mutex to load<br /> module dependencies, then it goes back to replay the transaction again.<br /> Move it at the end of the abort phase after nft_gc_seq_end() is called.

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

A vulnerability in the OSPF version 2 (OSPFv2) feature of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper validation of OSPF updates that are processed by a device. An attacker could exploit this vulnerability by sending a malformed OSPF update to the device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

A vulnerability was found in Tenda W15E 15.11.0.14 and classified as critical. This issue affects the function formSetSysTime of the file /goform/SetSysTimeCfg. The manipulation of the argument manualTime leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261869 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Tenda W15E 15.11.0.14. It has been classified as critical. Affected is the function guestWifiRuleRefresh. The manipulation of the argument qosGuestDownstream leads to stack-based buffer overflow. It is possible to launch the attack remotely. VDB-261870 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.