Vulnerabilities

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.<br /> <br /> <br /> Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.<br /> <br /> <br /> A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users&amp;#39; private or group conversations, resulting in unauthorized disclosure of sensitive information.

The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget&amp;#39;s Custom Attributes field in all versions up to, and including, 2.0.8. This is due to an incomplete event handler blocklist in the &amp;#39;pagelayer_xss_content&amp;#39; XSS filtering function, which blocks common, but not all, event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: atm: fix crash due to unvalidated vcc pointer in sigd_send()<br /> <br /> Reproducer available at [1].<br /> <br /> The ATM send path (sendmsg -&gt; vcc_sendmsg -&gt; sigd_send) reads the vcc<br /> pointer from msg-&gt;vcc and uses it directly without any validation. This<br /> pointer comes from userspace via sendmsg() and can be arbitrarily forged:<br /> <br /> int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);<br /> ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon<br /> struct msghdr msg = { .msg_iov = &amp;iov, ... };<br /> *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer<br /> sendmsg(fd, &amp;msg, 0); // kernel dereferences 0xdeadbeef<br /> <br /> In normal operation, the kernel sends the vcc pointer to the signaling<br /> daemon via sigd_enq() when processing operations like connect(), bind(),<br /> or listen(). The daemon is expected to return the same pointer when<br /> responding. However, a malicious daemon can send arbitrary pointer values.<br /> <br /> Fix this by introducing find_get_vcc() which validates the pointer by<br /> searching through vcc_hash (similar to how sigd_close() iterates over<br /> all VCCs), and acquires a reference via sock_hold() if found.<br /> <br /> Since struct atm_vcc embeds struct sock as its first member, they share<br /> the same lifetime. Therefore using sock_hold/sock_put is sufficient to<br /> keep the vcc alive while it is being used.<br /> <br /> Note that there may be a race with sigd_close() which could mark the vcc<br /> with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.<br /> However, sock_hold() guarantees the memory remains valid, so this race<br /> only affects the logical state, not memory safety.<br /> <br /> [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3

A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This vulnerability allows an attacker to add a new user with any arbitrary UID, including UID 0, gaining full root privileges within the container.