Vulnerabilidades

*** Pendiente de traducción *** A vulnerability was determined in 546669204 vps-inventory-monitoring up to 98c00b370668c96ae75e91c15548d9ea113652d9. This issue affects the function eval of the file app/index/command/VpsTest.php of the component VpsTest Console. Executing a manipulation of the argument vf can lead to code injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

*** Pendiente de traducción *** A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A vulnerability has been found in omec-project amf up to 2.1.1. This affects an unknown part of the component NGSetupRequest Handler. Such manipulation leads to memory corruption. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. It is best practice to apply a patch to resolve this issue.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: skbuff: propagate shared-frag marker through frag-transfer helpers<br /> <br /> Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail<br /> to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()-&gt;flags when<br /> moving frags from source to destination. __pskb_copy_fclone() defers<br /> the rest of the shinfo metadata to skb_copy_header() after copying<br /> frag descriptors, but that helper only carries over gso_{size,segs,<br /> type} and never touches skb_shinfo()-&gt;flags; skb_shift() moves frag<br /> descriptors directly and leaves flags untouched. As a result, the<br /> destination skb keeps a reference to the same externally-owned or<br /> page-cache-backed pages while reporting skb_has_shared_frag() as<br /> false.<br /> <br /> The mismatch is harmful in any in-place writer that uses<br /> skb_has_shared_frag() to decide whether shared pages must be detoured<br /> through skb_cow_data(). ESP input is one such writer (esp4.c,<br /> esp6.c), and a single nft &amp;#39;dup to &amp;#39; rule -- or any other<br /> nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()&amp;#39;d<br /> skb in esp_input() with the marker stripped, letting an unprivileged<br /> user write into the page cache of a root-owned read-only file via<br /> authencesn-ESN stray writes.<br /> <br /> Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors<br /> were actually moved from the source. skb_copy() and skb_copy_expand()<br /> share skb_copy_header() too but linearize all paged data into freshly<br /> allocated head storage and emerge with nr_frags == 0, so<br /> skb_has_shared_frag() returns false on its own; they need no change.<br /> <br /> The same omission exists in skb_gro_receive() and skb_gro_receive_list().<br /> The former moves the incoming skb&amp;#39;s frag descriptors into the<br /> accumulator&amp;#39;s last sub-skb via two paths (a direct frag-move loop and<br /> the head_frag + memcpy path); the latter chains the incoming skb whole<br /> onto p&amp;#39;s frag_list. Downstream skb_segment() reads only<br /> skb_shinfo(p)-&gt;flags, and skb_segment_list() reuses each sub-skb&amp;#39;s<br /> shinfo as the nskb -- both p and lp must carry the marker.<br /> <br /> The same omission also exists in tcp_clone_payload(), which builds an<br /> MTU probe skb by moving frag descriptors from skbs on sk_write_queue<br /> into a freshly allocated nskb. The helper falls into the same family<br /> and warrants the same fix for consistency; no TCP TX-side in-place<br /> writer is currently known to reach a user page through this gap, but<br /> a future consumer depending on the marker would regress silently.<br /> <br /> The same omission exists in skb_segment(): the per-iteration flag<br /> merge takes only head_skb&amp;#39;s flag, and the inner switch that rebinds<br /> frag_skb to list_skb on head_skb-frags exhaustion does not fold the<br /> new frag_skb&amp;#39;s flag into nskb. Fold frag_skb&amp;#39;s flag at both sites<br /> so segments drawing frags from frag_list members carry the marker.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: skbuff: preserve shared-frag marker during coalescing<br /> <br /> skb_try_coalesce() can attach paged frags from @from to @to. If @from<br /> has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same<br /> externally-owned or page-cache-backed frags, but the shared-frag marker<br /> is currently lost.<br /> <br /> That breaks the invariant relied on by later in-place writers. In<br /> particular, ESP input checks skb_has_shared_frag() before deciding<br /> whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP<br /> receive coalescing has moved shared frags into an unmarked skb, ESP can<br /> see skb_has_shared_frag() as false and decrypt in place over page-cache<br /> backed frags.<br /> <br /> Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged<br /> frags. The tailroom copy path does not need the marker because it copies<br /> bytes into @to&amp;#39;s linear data rather than transferring frag descriptors.

*** Pendiente de traducción *** A vulnerability was detected in omec-project amf up to 2.1.1. Affected by this vulnerability is an unknown functionality of the component PathSwitchRequest Handler. The manipulation results in memory corruption. The attack may be launched remotely. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue.

*** Pendiente de traducción *** A flaw has been found in omec-project amf up to 2.1.1. Affected by this issue is the function PDUSessionResourceModifyIndication of the file /go/src/amf/ngap/handler.go. This manipulation causes memory corruption. Remote exploitation of the attack is possible. The exploit has been published and may be used. Applying a patch is the recommended action to fix this issue.

*** Pendiente de traducción *** A security vulnerability has been detected in Edimax BR-6428NS 1.10. Affected is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. The manipulation of the argument repeaterSSID leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A weakness has been identified in Edimax BR-6428NS 1.10. This impacts the function system of the file /goform/formWlanM of the component POST Request Handler. Executing a manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A vulnerability was identified in Edimax BR-6428NS 1.10. The impacted element is the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component POST Request Handler. Such manipulation of the argument pppUserName leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A security flaw has been discovered in Edimax BR-6428NS 1.10. This affects the function formWirelessTbl of the file /goform/formWirelessTbl of the component POST Request Handler. Performing a manipulation of the argument vapurl results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in versions up to and including 3.30.1. This is due to the missing capability and nonce check in the ajax_get_screen() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to supply an arbitrary admin screen identifier via the data[url] parameter, causing the plugin to load and execute the administrative API configuration template without authorization. The rendered HTML, which contains the plugin&amp;#39;s plaintext REST API Secret Key, is returned directly to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.