Vulnerabilidades

*** Pendiente de traducción *** A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. This affects an unknown function of the file AndroidManifest.xml of the component com.dw.android.mukbee. The manipulation results in improper export of android application components. The attack must be initiated from a local position. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

*** Pendiente de traducción *** IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

*** Pendiente de traducción *** Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting in remote code execution. In addition, improper input validation allows for arbitrary file write and server-side request forgery (SSRF), enabling interaction with internal or external systems. Successful exploitation can lead to full server compromise, unauthorized access to sensitive data, and further network exploitation.

*** Pendiente de traducción *** AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery (SSRF) vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows . Although the initial URL is validated to allow only HTTP/HTTPS with default ports, the extractor automatically follows redirects and does not block requests to loopback or internal IP ranges. An authenticated, low-privileged user can exploit this behavior to coerce the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports. If the target host serves a favicon or any other valid image, the response is returned to the attacker in Base64 form. Even when no data is returned, timing and error behavior can be abused to map internal services. This vulnerability only affects self-hosted AliasVault instances that are reachable from the public internet with public user registration enabled. Private/internal deployments without public sign-ups are not directly exploitable. This issue has been fixed in AliasVault release 0.23.1.

*** Pendiente de traducción *** The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.

*** Pendiente de traducción *** Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set system commands using doSystemCmd, without validating or sanitizing special characters (e.g., ;, ", #). An unauthenticated or authenticated attacker can exploit this by submitting a crafted POST request, leading to arbitrary system command execution on the affected device.

*** Pendiente de traducción *** CMSEasy v7.7.8.0 and before is vulnerable to Arbitrary file deletion in database_admin.php.

*** Pendiente de traducción *** Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in backend/src/applications/files/services/files-manager.service.ts, and FilesManager.compress function in backend/src/applications/files/services/files-manager.service.ts.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: vhci: Prevent use-after-free by removing debugfs files early<br /> <br /> Move the creation of debugfs files into a dedicated function, and ensure<br /> they are explicitly removed during vhci_release(), before associated<br /> data structures are freed.<br /> <br /> Previously, debugfs files such as "force_suspend", "force_wakeup", and<br /> others were created under hdev-&gt;debugfs but not removed in<br /> vhci_release(). Since vhci_release() frees the backing vhci_data<br /> structure, any access to these files after release would result in<br /> use-after-free errors.<br /> <br /> Although hdev-&gt;debugfs is later freed in hci_release_dev(), user can<br /> access files after vhci_data is freed but before hdev-&gt;debugfs is<br /> released.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7915: fix list corruption after hardware restart<br /> <br /> Since stations are recreated from scratch, all lists that wcids are added<br /> to must be cleared before calling ieee80211_restart_hw.<br /> Set wcid-&gt;sta = 0 for each wcid entry in order to ensure that they are<br /> not added again before they are ready.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tee: fix NULL pointer dereference in tee_shm_put<br /> <br /> tee_shm_put have NULL pointer dereference:<br /> <br /> __optee_disable_shm_cache --&gt;<br /> shm = reg_pair_to_ptr(...);//shm maybe return NULL<br /> tee_shm_free(shm); --&gt;<br /> tee_shm_put(shm);//crash<br /> <br /> Add check in tee_shm_put to fix it.<br /> <br /> panic log:<br /> Unable to handle kernel paging request at virtual address 0000000000100cca<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000<br /> [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000<br /> Internal error: Oops: 0000000096000004 [#1] SMP<br /> CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----<br /> 6.6.0-39-generic #38<br /> Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07<br /> Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0<br /> 10/26/2022<br /> pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : tee_shm_put+0x24/0x188<br /> lr : tee_shm_free+0x14/0x28<br /> sp : ffff001f98f9faf0<br /> x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000<br /> x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048<br /> x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88<br /> x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff<br /> x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003<br /> x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101<br /> x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c<br /> x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000<br /> x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca<br /> Call trace:<br /> tee_shm_put+0x24/0x188<br /> tee_shm_free+0x14/0x28<br /> __optee_disable_shm_cache+0xa8/0x108<br /> optee_shutdown+0x28/0x38<br /> platform_shutdown+0x28/0x40<br /> device_shutdown+0x144/0x2b0<br /> kernel_power_off+0x3c/0x80<br /> hibernate+0x35c/0x388<br /> state_store+0x64/0x80<br /> kobj_attr_store+0x14/0x28<br /> sysfs_kf_write+0x48/0x60<br /> kernfs_fop_write_iter+0x128/0x1c0<br /> vfs_write+0x270/0x370<br /> ksys_write+0x6c/0x100<br /> __arm64_sys_write+0x20/0x30<br /> invoke_syscall+0x4c/0x120<br /> el0_svc_common.constprop.0+0x44/0xf0<br /> do_el0_svc+0x24/0x38<br /> el0_svc+0x24/0x88<br /> el0t_64_sync_handler+0x134/0x150<br /> el0t_64_sync+0x14c/0x15