Vulnerabilities

In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).<br />

MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user&amp;#39;s email address and username can hijack the user&amp;#39;s account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`.

SQL Injection vulnerability in MRCMS v3.1.2 allows attackers to run arbitrary system commands via the status parameter.

kedi ElectronCord is a bot management tool for Discord. Commit aaaeaf4e6c99893827b2eea4dd02f755e1e24041 exposes an account access token in the `config.json` file. Malicious actors could potentially exploit this vulnerability to gain unauthorized access to sensitive information or perform malicious actions on behalf of the repository owner. As of time of publication, it is unknown whether the owner of the repository has rotated the token or taken other mitigation steps aside from informing users of the situation.

com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.

Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site&amp;#39;s terms of use via social engineering and enticing the user to visit a malicious page.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: explicitly null-terminate the xattr list<br /> <br /> When setting an xattr, explicitly null-terminate the xattr list. This<br /> eliminates the fragile assumption that the unused xattr space is always<br /> zeroed.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix use-after-free in shinker&amp;#39;s callback<br /> <br /> The mmap read lock is used during the shrinker&amp;#39;s callback, which means<br /> that using alloc-&gt;vma pointer isn&amp;#39;t safe as it can race with munmap().<br /> As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in<br /> munmap") the mmap lock is downgraded after the vma has been isolated.<br /> <br /> I was able to reproduce this issue by manually adding some delays and<br /> triggering page reclaiming through the shrinker&amp;#39;s debug sysfs. The<br /> following KASAN report confirms the UAF:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8<br /> Read of size 8 at addr ffff356ed50e50f0 by task bash/478<br /> <br /> CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> zap_page_range_single+0x470/0x4b8<br /> binder_alloc_free_page+0x608/0xadc<br /> __list_lru_walk_one+0x130/0x3b0<br /> list_lru_walk_node+0xc4/0x22c<br /> binder_shrink_scan+0x108/0x1dc<br /> shrinker_debugfs_scan_write+0x2b4/0x500<br /> full_proxy_write+0xd4/0x140<br /> vfs_write+0x1ac/0x758<br /> ksys_write+0xf0/0x1dc<br /> __arm64_sys_write+0x6c/0x9c<br /> <br /> Allocated by task 492:<br /> kmem_cache_alloc+0x130/0x368<br /> vm_area_alloc+0x2c/0x190<br /> mmap_region+0x258/0x18bc<br /> do_mmap+0x694/0xa60<br /> vm_mmap_pgoff+0x170/0x29c<br /> ksys_mmap_pgoff+0x290/0x3a0<br /> __arm64_sys_mmap+0xcc/0x144<br /> <br /> Freed by task 491:<br /> kmem_cache_free+0x17c/0x3c8<br /> vm_area_free_rcu_cb+0x74/0x98<br /> rcu_core+0xa38/0x26d4<br /> rcu_core_si+0x10/0x1c<br /> __do_softirq+0x2fc/0xd24<br /> <br /> Last potentially related work creation:<br /> __call_rcu_common.constprop.0+0x6c/0xba0<br /> call_rcu+0x10/0x1c<br /> vm_area_free+0x18/0x24<br /> remove_vma+0xe4/0x118<br /> do_vmi_align_munmap.isra.0+0x718/0xb5c<br /> do_vmi_munmap+0xdc/0x1fc<br /> __vm_munmap+0x10c/0x278<br /> __arm64_sys_munmap+0x58/0x7c<br /> <br /> Fix this issue by performing instead a vma_lookup() which will fail to<br /> find the vma that was isolated before the mmap lock downgrade. Note that<br /> this option has better performance than upgrading to a mmap write lock<br /> which would increase contention. Plus, mmap_write_trylock() has been<br /> recently removed anyway.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> uio: Fix use-after-free in uio_open<br /> <br /> core-1 core-2<br /> -------------------------------------------------------<br /> uio_unregister_device uio_open<br /> idev = idr_find()<br /> device_unregister(&amp;idev-&gt;dev)<br /> put_device(&amp;idev-&gt;dev)<br /> uio_device_release<br /> get_device(&amp;idev-&gt;dev)<br /> kfree(idev)<br /> uio_free_minor(minor)<br /> uio_release<br /> put_device(&amp;idev-&gt;dev)<br /> kfree(idev)<br /> -------------------------------------------------------<br /> <br /> In the core-1 uio_unregister_device(), the device_unregister will kfree<br /> idev when the idev-&gt;dev kobject ref is 1. But after core-1<br /> device_unregister, put_device and before doing kfree, the core-2 may<br /> get_device. Then:<br /> 1. After core-1 kfree idev, the core-2 will do use-after-free for idev.<br /> 2. When core-2 do uio_release and put_device, the idev will be double<br /> freed.<br /> <br /> To address this issue, we can get idev atomic &amp; inc idev reference with<br /> minor_lock.

When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented.<br /> Users are recommended to upgrade to version 4.0.0, which fixes this issue.

Cross Site Scripting vulnerability in the sanitize function in Enhancesoft osTicket 1.18.0 allows a remote attacker to escalate privileges via a crafted support ticket.