Vulnerabilities

Time-of-check time-of-use race condition in firmware for some Intel(R) Converged Security and Management Engine may allow a privileged user to potentially enable escalation of privilege via local access.

content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature.

By using the "uscan" protocol provided by the eSCL specification, an attacker can discover the serial number of multi-function printers that implement the Brother-provided firmware. This serial number can, in turn, can be leveraged by the flaw described by CVE-2024-51978 to calculate the default administrator password. This flaw is similar to CVE-2024-51977, with the only difference being the protocol by which an attacker can use to learn the remote device's serial number. The eSCL/uscan vector is typically only exposed on the local network. Any discovery service that implements the eSCL specification can be used to exploit this vulnerability, and one such implementation is the runZero Explorer. Changing the default administrator password will render this vulnerability virtually worthless, since the calculated default administrator password would no longer be the correct password.

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page.

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, the createTaskFile method in the API does not validate whether the task_id parameter is a valid task id, nor does it check for path traversal. As a result, a malicious actor could write a file anywhere on the system the app user controls. The impact is limited due to the filename being hashed and having no extension. This issue has been patched in version 1.2.47.

ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users, potentially leading to unauthorized data modifications. This issue is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: interface: fix use-after-free after changing collect_md xfrm interface<br /> <br /> collect_md property on xfrm interfaces can only be set on device creation,<br /> thus xfrmi_changelink() should fail when called on such interfaces.<br /> <br /> The check to enforce this was done only in the case where the xi was<br /> returned from xfrmi_locate() which doesn&amp;#39;t look for the collect_md<br /> interface, and thus the validation was never reached.<br /> <br /> Calling changelink would thus errornously place the special interface xi<br /> in the xfrmi_net-&gt;xfrmi hash, but since it also exists in the<br /> xfrmi_net-&gt;collect_md_xfrmi pointer it would lead to a double free when<br /> the net namespace was taken down [1].<br /> <br /> Change the check to use the xi from netdev_priv which is available earlier<br /> in the function to prevent changes in xfrm collect_md interfaces.<br /> <br /> [1] resulting oops:<br /> [ 8.516540] kernel BUG at net/core/dev.c:12029!<br /> [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)<br /> [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 8.516569] Workqueue: netns cleanup_net<br /> [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0<br /> [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24<br /> [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206<br /> [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60<br /> [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122<br /> [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100<br /> [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00<br /> [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00<br /> [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000<br /> [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0<br /> [ 8.516625] PKRU: 55555554<br /> [ 8.516627] Call Trace:<br /> [ 8.516632] <br /> [ 8.516635] ? rtnl_is_locked+0x15/0x20<br /> [ 8.516641] ? unregister_netdevice_queue+0x29/0xf0<br /> [ 8.516650] ops_undo_list+0x1f2/0x220<br /> [ 8.516659] cleanup_net+0x1ad/0x2e0<br /> [ 8.516664] process_one_work+0x160/0x380<br /> [ 8.516673] worker_thread+0x2aa/0x3c0<br /> [ 8.516679] ? __pfx_worker_thread+0x10/0x10<br /> [ 8.516686] kthread+0xfb/0x200<br /> [ 8.516690] ? __pfx_kthread+0x10/0x10<br /> [ 8.516693] ? __pfx_kthread+0x10/0x10<br /> [ 8.516697] ret_from_fork+0x82/0xf0<br /> [ 8.516705] ? __pfx_kthread+0x10/0x10<br /> [ 8.516709] ret_from_fork_asm+0x1a/0x30<br /> [ 8.516718]

XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service

Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk.

SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution