Vulnerabilities

Lack of output escaping for article titles leads to XSS vectors in various locations.

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 6.10 mitigates this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Ericsson Packet Core Controller (PCC) versions prior<br /> to 1.38 contain a vulnerability where an attacker sending a large volume of<br /> specially crafted messages may cause service degradation.

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller&amp;#39;s database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller&amp;#39;s Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix race between freeing data and fs accessing it<br /> <br /> AppArmor was putting the reference to i_private data on its end after<br /> removing the original entry from the file system. However the inode<br /> can aand does live beyond that point and it is possible that some of<br /> the fs call back functions will be invoked after the reference has<br /> been put, which results in a race between freeing the data and<br /> accessing it through the fs.<br /> <br /> While the rawdata/loaddata is the most likely candidate to fail the<br /> race, as it has the fewest references. If properly crafted it might be<br /> possible to trigger a race for the other types stored in i_private.<br /> <br /> Fix this by moving the put of i_private referenced data to the correct<br /> place which is during inode eviction.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix race on rawdata dereference<br /> <br /> There is a race condition that leads to a use-after-free situation:<br /> because the rawdata inodes are not refcounted, an attacker can start<br /> open()ing one of the rawdata files, and at the same time remove the<br /> last reference to this rawdata (by removing the corresponding profile,<br /> for example), which frees its struct aa_loaddata; as a result, when<br /> seq_rawdata_open() is reached, i_private is a dangling pointer and<br /> freed memory is accessed.<br /> <br /> The rawdata inodes weren&amp;#39;t refcounted to avoid a circular refcount and<br /> were supposed to be held by the profile rawdata reference. However<br /> during profile removal there is a window where the vfs and profile<br /> destruction race, resulting in the use after free.<br /> <br /> Fix this by moving to a double refcount scheme. Where the profile<br /> refcount on rawdata is used to break the circular dependency. Allowing<br /> for freeing of the rawdata once all inode references to the rawdata<br /> are put.

A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix: limit the number of levels of policy namespaces<br /> <br /> Currently the number of policy namespaces is not bounded relying on<br /> the user namespace limit. However policy namespaces aren&amp;#39;t strictly<br /> tied to user namespaces and it is possible to create them and nest<br /> them arbitrarily deep which can be used to exhaust system resource.<br /> <br /> Hard cap policy namespaces to the same depth as user namespaces.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix side-effect bug in match_char() macro usage<br /> <br /> The match_char() macro evaluates its character parameter multiple<br /> times when traversing differential encoding chains. When invoked<br /> with *str++, the string pointer advances on each iteration of the<br /> inner do-while loop, causing the DFA to check different characters<br /> at each iteration and therefore skip input characters.<br /> This results in out-of-bounds reads when the pointer advances past<br /> the input buffer boundary.<br /> <br /> [ 94.984676] ==================================================================<br /> [ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760<br /> [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976<br /> <br /> [ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)<br /> [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 94.986329] Call Trace:<br /> [ 94.986341] <br /> [ 94.986347] dump_stack_lvl+0x5e/0x80<br /> [ 94.986374] print_report+0xc8/0x270<br /> [ 94.986384] ? aa_dfa_match+0x5ae/0x760<br /> [ 94.986388] kasan_report+0x118/0x150<br /> [ 94.986401] ? aa_dfa_match+0x5ae/0x760<br /> [ 94.986405] aa_dfa_match+0x5ae/0x760<br /> [ 94.986408] __aa_path_perm+0x131/0x400<br /> [ 94.986418] aa_path_perm+0x219/0x2f0<br /> [ 94.986424] apparmor_file_open+0x345/0x570<br /> [ 94.986431] security_file_open+0x5c/0x140<br /> [ 94.986442] do_dentry_open+0x2f6/0x1120<br /> [ 94.986450] vfs_open+0x38/0x2b0<br /> [ 94.986453] ? may_open+0x1e2/0x2b0<br /> [ 94.986466] path_openat+0x231b/0x2b30<br /> [ 94.986469] ? __x64_sys_openat+0xf8/0x130<br /> [ 94.986477] do_file_open+0x19d/0x360<br /> [ 94.986487] do_sys_openat2+0x98/0x100<br /> [ 94.986491] __x64_sys_openat+0xf8/0x130<br /> [ 94.986499] do_syscall_64+0x8e/0x660<br /> [ 94.986515] ? count_memcg_events+0x15f/0x3c0<br /> [ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986540] ? handle_mm_fault+0x1639/0x1ef0<br /> [ 94.986551] ? vma_start_read+0xf0/0x320<br /> [ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0<br /> [ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0<br /> [ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986588] ? irqentry_exit+0x3c/0x590<br /> [ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 94.986597] RIP: 0033:0x7fda4a79c3ea<br /> <br /> Fix by extracting the character value before invoking match_char,<br /> ensuring single evaluation per outer loop.