Vulnerabilities

A vulnerability exists in the QuickJS engine&amp;#39;s BigInt string parsing logic (js_bigint_from_string) when attempting to create a BigInt from a string with an excessively large number of digits.<br /> <br /> The function calculates the necessary number of bits (n_bits) required to store the BigInt using the formula:<br /> <br /> $$\text{n\_bits} = (\text{n\_digits} \times 27 + 7) / 8 \quad (\text{for radix 10})$$<br /> <br /> * For large input strings (e.g., $79,536,432$ digits or more for base 10), the intermediate calculation $(\text{n\_digits} \times 27 + 7)$ exceeds the maximum value of a standard signed 32-bit integer, resulting in an Integer Overflow.<br /> <br /> <br /> * The resulting n_bits value becomes unexpectedly small or even negative due to this wrap-around.<br /> <br /> <br /> * This flawed n_bits is then used to compute n_limbs, the number of memory "limbs" needed for the BigInt object. Since n_bits is too small, the calculated n_limbs is also significantly underestimated.<br /> <br /> <br /> * The function proceeds to allocate a JSBigInt object using this underestimated n_limbs.<br /> <br /> <br /> * When the function later attempts to write the actual BigInt data into the allocated object, the small buffer size is quickly exceeded, leading to a Heap Out-of-Bounds Write as data is written past the end of the allocated r-&gt;tab array.

Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.

A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine.<br /> <br /> * The code first checks if the left-hand operand is a string.<br /> <br /> <br /> * It then attempts to convert the right-hand operand to a primitive value using JS_ToPrimitiveFree. This conversion can trigger a callback (e.g., toString or valueOf).<br /> <br /> <br /> * During this callback, an attacker can modify the type of the left-hand operand in memory, changing it from a string to a different type (e.g., an object or an array).<br /> <br /> <br /> * The code then proceeds to call JS_ConcatStringInPlace, which still treats the modified left-hand value as a string.<br /> <br /> <br /> This mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a type confusion condition. This can lead to out-of-bounds memory access, potentially resulting in memory corruption and arbitrary code execution in the context of the QuickJS runtime.

A vulnerability exists in the QuickJS engine&amp;#39;s BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure.<br /> <br /> * The function determines the number of characters (n_digits) needed for the string representation by calculating:<br /> <br /> $$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) / \text{log2\_radix}$$<br /> <br /> $$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2\_radix}=5$) is calculated to need $\text{n\_digits}=26$.<br /> <br /> <br /> * The maximum number of bits actually stored is $\text{n\_bits}=127$, which requires only two 64-bit limbs ($\text{JS\_LIMB\_BITS}=64$).<br /> <br /> <br /> * The conversion loop iterates $\text{n\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits.<br /> <br /> <br /> * In the final iterations of the loop, the code attempts to read data that spans two limbs:<br /> <br /> C<br /> <br /> <br /> <br /> c = (r-&gt;tab[pos] &gt;&gt; shift) | (r-&gt;tab[pos + 1]

A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine&amp;#39;s implementation of TypedArray.prototype.indexOf() when a negative fromIndex argument is supplied.<br /> <br /> * The fromIndex argument (read as a double variable, $d$) is used to calculate the starting position for the search.<br /> <br /> <br /> * If d is negative, the index is calculated relative to the end of the array by adding the array&amp;#39;s length (len) to d:<br /> <br /> <br /> <br /> $$d_{new} = d + \text{len}$$<br /> <br /> <br /> * Due to the inherent limitations of floating-point arithmetic, if the negative value $d$ is extremely small (e.g., $-1 \times 10^{-20}$), the addition $d + \text{len}$ can result in a loss of precision, yielding an outcome that is exactly equal to $\text{len}$.<br /> <br /> <br /> * The result is then converted to an integer index $k$: $k = \text{len}$.<br /> <br /> <br /> * The search function proceeds to read array elements starting from index $k$. Since valid indices are $0$ to $\text{len}-1$, starting the read at index $\text{len}$ is one element past the end of the array.<br /> <br /> <br /> This allows an attacker to cause an Out-of-Bounds Read of one element immediately following the buffer. While the scope of this read is small (one element), it can potentially lead to Information Disclosure of adjacent memory contents, depending on the execution environment.

A Use-After-Free (UAF) vulnerability exists in the QuickJS engine&amp;#39;s standard library when iterating over the global list of unhandled rejected promises (ts-&gt;rejected_promise_list).<br /> <br /> * The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.<br /> <br /> <br /> * The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp-&gt;reason).<br /> <br /> <br /> * If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.<br /> <br /> <br /> * The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.<br /> <br /> <br /> * Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.<br /> <br /> <br /> * Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition.

In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms-&gt;records list, but once again, elements could be removed from the list during js_print_value call.

Mattermost Desktop App versions

A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. This patch is called 16357. It is best practice to apply a patch to resolve this issue.

A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Handler. The manipulation of the argument Version leads to path traversal. Remote exploitation of the attack is possible. Upgrading to version 4.6.0 is sufficient to resolve this issue. It is recommended to upgrade the affected component.

A vulnerability has been found in Apeman ID71 EN75.8.53.20. The affected element is an unknown function of the file /set_alias.cgi. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.