Vulnerabilities

A vulnerability, which was classified as problematic, has been found in Bdtask Bhojon Best Restaurant Management Software 2.9. This issue affects some unknown processing of the file /dashboard/message of the component Message Page. The manipulation of the argument Title leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254531. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in TemmokuMVC up to 2.3. Affected is the function get_img_url/img_replace in the library lib/images_get_down.php of the component Image Download Handler. The manipulation leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254532. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter.

An issue in flvmeta v.1.2.2 allows a local attacker to cause a denial of service via the flvmeta/src/flv.c:375:21 function in flv_close.

baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability.

The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `<script>` would be rendered as `` in the final HTML output. The attacker must be able to control some data which is later injected in an mjml template which is then send out as email to other users. The attacker could control contents of email messages sent through the platform. The problem has been fixed in version 0.11.0 of this library. Versions before 0.10.0 are not affected by this security issue. As a workaround, ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML.

WayOS IBR-7150

The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to an URL that contains material read from a local file chosen by the attacker. This may result in a loss of privacy of exfiltration of secrets. Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted. A single untrusted `.ql` or `.qll` file cannot be affected, but a zip archive or tarball containing QL sources may unpack auxiliary files that will trigger an attack when CodeQL sees them in the file system. Those using CodeQL for routine analysis of source trees with a preselected set of trusted queries are not affected. In particular, extracting XML files from a source tree into the CodeQL database does not make one vulnerable. The problem is fixed in release 2.16.3 of the CodeQL CLI. Other than upgrading, workarounds include not accepting CodeQL databases or queries from untrusted sources, or only processing such material on a machine without an Internet connection. Customers who use older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons can continue using that version. That use case is safe. If such customers have a private query pack and use the `codeql pack create` command to precompile them before using them in the CI system, they should be using the production CodeQL release to run `codeql pack create`. That command is safe as long as the QL source it precompiled is trusted. All other development of the query pack should use an upgraded CLI.

Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue.

Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs (private messages) can be retrieved by anyone, even if they're not logged in. This problem is resolved in version 0.4 of the discourse-calendar plugin. While no known workaround is available, putting the site behind `login_required` will disallow this endpoint to be used by anonymous users, but logged in users can still get the list of invitees in the private topics.

SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS<br /> <br /> For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off<br /> for validation. However, variable offset ptr alu is not prohibited<br /> for this ptr kind. So the variable offset is not checked.<br /> <br /> The following prog is accepted:<br /> <br /> func#0 @0<br /> 0: R1=ctx() R10=fp0<br /> 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()<br /> 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()<br /> 2: (b7) r8 = 1024 ; R8_w=1024<br /> 3: (37) r8 /= 1 ; R8_w=scalar()<br /> 4: (57) r8 &amp;= 1024 ; R8_w=scalar(smin=smin32=0,<br /> smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))<br /> 5: (0f) r7 += r8<br /> mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1<br /> mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &amp;= 1024<br /> mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1<br /> mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024<br /> 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off<br /> =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,<br /> var_off=(0x0; 0x400))<br /> 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()<br /> 7: (95) exit<br /> <br /> This prog loads flow_keys to r7, and adds the variable offset r8<br /> to r7, and finally causes out-of-bounds access:<br /> <br /> BUG: unable to handle page fault for address: ffffc90014c80038<br /> [...]<br /> Call Trace:<br /> <br /> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]<br /> __bpf_prog_run include/linux/filter.h:651 [inline]<br /> bpf_prog_run include/linux/filter.h:658 [inline]<br /> bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]<br /> bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991<br /> bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359<br /> bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]<br /> __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475<br /> __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]<br /> __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Fix this by rejecting ptr alu with variable offset on flow_keys.<br /> Applying the patch rejects the program with "R7 pointer arithmetic<br /> on flow_keys prohibited".