Vulnerabilities

Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username parameter in POST requests to index.php with action=processlogin to extract sensitive database information or gain unauthorized administrative access.

School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques to the processlogin endpoint to authenticate as administrator without valid credentials.

SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit POST requests with boolean-based blind, stacked queries, or time-based blind SQL injection payloads to extract sensitive data or compromise the application.

Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials.

Mattermost versions 11.2.x

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> icmp: fix NULL pointer dereference in icmp_tag_validation()<br /> <br /> icmp_tag_validation() unconditionally dereferences the result of<br /> rcu_dereference(inet_protos[proto]) without checking for NULL.<br /> The inet_protos[] array is sparse -- only about 15 of 256 protocol<br /> numbers have registered handlers. When ip_no_pmtu_disc is set to 3<br /> (hardened PMTU mode) and the kernel receives an ICMP Fragmentation<br /> Needed error with a quoted inner IP header containing an unregistered<br /> protocol number, the NULL dereference causes a kernel panic in<br /> softirq context.<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]<br /> RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)<br /> Call Trace:<br /> <br /> icmp_rcv (net/ipv4/icmp.c:1527)<br /> ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)<br /> ip_local_deliver_finish (net/ipv4/ip_input.c:242)<br /> ip_local_deliver (net/ipv4/ip_input.c:262)<br /> ip_rcv (net/ipv4/ip_input.c:573)<br /> __netif_receive_skb_one_core (net/core/dev.c:6164)<br /> process_backlog (net/core/dev.c:6628)<br /> handle_softirqs (kernel/softirq.c:561)<br /> <br /> <br /> Add a NULL check before accessing icmp_strict_tag_validation. If the<br /> protocol has no registered handler, return false since it cannot<br /> perform strict tag validation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfnetlink_osf: validate individual option lengths in fingerprints<br /> <br /> nfnl_osf_add_callback() validates opt_num bounds and string<br /> NUL-termination but does not check individual option length fields.<br /> A zero-length option causes nf_osf_match_one() to enter the option<br /> matching loop even when foptsize sums to zero, which matches packets<br /> with no TCP options where ctx-&gt;optp is NULL:<br /> <br /> Oops: general protection fault<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)<br /> Call Trace:<br /> nf_osf_match (net/netfilter/nfnetlink_osf.c:227)<br /> xt_osf_match_packet (net/netfilter/xt_osf.c:32)<br /> ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)<br /> nf_hook_slow (net/netfilter/core.c:623)<br /> ip_local_deliver (net/ipv4/ip_input.c:262)<br /> ip_rcv (net/ipv4/ip_input.c:573)<br /> <br /> Additionally, an MSS option (kind=2) with length

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: fix NULL deref in mesh_matches_local()<br /> <br /> mesh_matches_local() unconditionally dereferences ie-&gt;mesh_config to<br /> compare mesh configuration parameters. When called from<br /> mesh_rx_csa_frame(), the parsed action-frame elements may not contain a<br /> Mesh Configuration IE, leaving ie-&gt;mesh_config NULL and triggering a<br /> kernel NULL pointer dereference.<br /> <br /> The other two callers are already safe:<br /> - ieee80211_mesh_rx_bcn_presp() checks !elems-&gt;mesh_config before<br /> calling mesh_matches_local()<br /> - mesh_plink_get_event() is only reached through<br /> mesh_process_plink_frame(), which checks !elems-&gt;mesh_config, too<br /> <br /> mesh_rx_csa_frame() is the only caller that passes raw parsed elements<br /> to mesh_matches_local() without guarding mesh_config. An adjacent<br /> attacker can exploit this by sending a crafted CSA action frame that<br /> includes a valid Mesh ID IE but omits the Mesh Configuration IE,<br /> crashing the kernel.<br /> <br /> The captured crash log:<br /> <br /> Oops: general protection fault, probably for non-canonical address ...<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> Workqueue: events_unbound cfg80211_wiphy_work<br /> [...]<br /> Call Trace:<br /> <br /> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)<br /> ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)<br /> [...]<br /> ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)<br /> [...]<br /> cfg80211_wiphy_work (net/wireless/core.c:426)<br /> process_one_work (net/kernel/workqueue.c:3280)<br /> ? assign_work (net/kernel/workqueue.c:1219)<br /> worker_thread (net/kernel/workqueue.c:3352)<br /> ? __pfx_worker_thread (net/kernel/workqueue.c:3385)<br /> kthread (net/kernel/kthread.c:436)<br /> [...]<br /> ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)<br /> <br /> <br /> This patch adds a NULL check for ie-&gt;mesh_config at the top of<br /> mesh_matches_local() to return false early when the Mesh Configuration<br /> IE is absent.

Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter <br /> &amp;#39;visitor&amp;#39; in &amp;#39;/api/v1/webchat/message&amp;#39;.

A security vulnerability has been detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file /goform/formConfigDnsFilterGlobal of the component Parameter Handler. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.