Vulnerabilities

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.

In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.

OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader <br /> <br /> Versions Affected: <br /> <br /> before 2.5.9<br /> <br /> before 3.0.0-M3 <br /> <br /> Description:<br /> <br /> <br /> The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source.<br /> <br /> <br /> A crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load.<br /> <br /> <br /> The practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins.  <br /> <br /> <br /> Mitigation:<br /> <br /> <br /> <br /> * 2.x users should upgrade to 2.5.9.<br /> <br /> * 3.x users should upgrade to 3.0.0-M3.<br /> <br /> <br /> <br /> <br /> Note: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default.<br /> <br /> <br /> Users who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks.

D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username "Alphanetworks" and the static password "whdrv01_dlob_dir456U" read from /etc/config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

Apache Polaris can issue broad temporary ("vended") storage credentials during<br /> staged<br /> table creation before the effective table location has been validated or<br /> durably reserved. <br /> Those temporary credentials are meant to limit the scope<br /> of<br /> accessible table data and metadata, but this scope limitation becomes<br /> attacker-<br /> directed because the attacker can choose a reachable target location.<br /> <br /> <br /> <br /> In the confirmed variant, if the caller supplies a custom `location` during<br /> stage create and requests credential vending, Apache Polaris uses that location to<br /> construct delegated storage credentials immediately. The stage-create path<br /> itself neither runs the normal location validation nor the overlap checks<br /> before those credentials are issued.<br /> <br /> <br /> <br /> Closely related to that, the staged-create flow also accepts<br /> `write.data.path` / `write.metadata.path` in the request properties and<br /> feeds<br /> those location overrides into the same effective table location set used for<br /> credential vending. Those fields are secondary to the main custom-`location`<br /> exploit, but they are still attacker-influenced location inputs that should<br /> be<br /> validated before any credentials are issued.

Apache Polaris accepts literal `*` characters in namespace and table names. When it<br /> later builds temporary S3 access policies for delegated table access, those<br /> same characters appear to be reused unescaped in S3 IAM resource patterns<br /> and<br /> `s3:prefix` conditions.<br /> <br /> <br /> <br /> In S3 IAM policy matching, `*` is treated as a wildcard rather than as<br /> ordinary text. That means temporary credentials issued for one crafted table<br /> can match the storage path of a different table.<br /> <br /> <br /> <br /> In private testing against Polaris 1.4.0 using Polaris&amp;#39; AWS S3 temporary-<br /> credential path on both MinIO and real AWS S3, credentials returned for<br /> crafted tables such as `f*.t1`, `f*.*`, `*.*`, and `foo.*` could reach other<br /> tables&amp;#39; S3 locations.<br /> <br /> <br /> The confirmed behavior includes:<br /> <br /> <br /> - reading another table&amp;#39;s metadata control file ([Iceberg metadata JSON]);<br /> <br /> - listing another table&amp;#39;s exact S3 table prefix ([table prefix]);<br /> <br /> - and, when write delegation was returned for the crafted table, creating<br /> and<br /> deleting an object under another table&amp;#39;s exact S3 table prefix.<br /> <br /> <br /> <br /> A control case using ordinary different names did not allow the same<br /> cross-table access.<br /> <br /> <br /> <br /> A least-privilege AWS S3 variant was also confirmed in which the attacker<br /> principal had no Polaris permissions on the victim table and only the<br /> minimal permissions required to create and use a crafted wildcard table<br /> (namespace-scoped `TABLE_CREATE` and `TABLE_WRITE_DATA` on `*`). In that<br /> setup, direct Polaris access to `foo.t1` remained forbidden, but the<br /> attacker<br /> could still create and load `*.*`, receive delegated S3 credentials, and use<br /> those credentials to list, read, create, and delete objects under `foo.t1`.<br /> <br /> <br /> <br /> In Iceberg, the metadata JSON file is a control file: it tells readers which<br /> data files belong to the table, which snapshots exist, and which table<br /> version<br /> to read. So unauthorized access to it is already a meaningful<br /> confidentiality<br /> problem. The confirmed write-capable variant means the issue is not limited<br /> to<br /> disclosure.

In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials<br /> that<br /> only work for one table&amp;#39;s files, but a crafted namespace or table name can<br /> cause those credentials to work across the configured bucket instead.<br /> <br /> <br /> Apache Polaris builds Google Cloud Storage downscoped credentials by creating a<br /> Credential Access Boundary (CAB) with CEL conditions that are intended to<br /> restrict access to the requested table&amp;#39;s storage path.<br /> <br /> <br /> <br /> The relevant CEL string is built from the bucket name and the table path.<br /> That<br /> table path is derived from namespace and table identifiers. In current code,<br /> that path appears to be inserted into the CEL expression without escaping.<br /> <br /> <br /> <br /> As a result, a namespace or table identifier containing a single quote and<br /> other URI-safe CEL fragments can break out of the intended quoted string and<br /> change the meaning of the CEL condition.<br /> <br /> <br /> <br /> In private testing against Polaris 1.4.0 on real Google Cloud Storage, it was confirmed that Polaris accepted a crafted identifier and returned delegated<br /> GCS<br /> credentials whose CEL path restriction had effectively collapsed.<br /> <br /> <br /> Those delegated credentials could then:<br /> <br /> <br /> - list another table&amp;#39;s object prefix;<br /> <br /> - read another table&amp;#39;s metadata control file (Iceberg metadata JSON);<br /> <br /> - create and delete an object under another table&amp;#39;s object prefix;<br /> <br /> - and also list, read, create, and delete objects under an unrelated<br /> external<br /> prefix in the same bucket that was not part of any table path.<br /> <br /> <br /> <br /> That last point is important. The issue is not limited to "another table".<br /> In<br /> the confirmed setup, once Apache Polaris returned credentials for the crafted<br /> table,<br /> the path restriction inside the configured bucket was effectively gone.<br /> <br /> The practical effect is that temporary credentials for one crafted table<br /> can be<br /> broader than the table Polaris was asked to authorize, and can become<br /> effectively bucket-wide within the configured bucket.<br /> <br /> <br /> <br /> The current GCS testing used a Polaris principal with broad catalog<br /> privileges for setup. A separate least-privilege Polaris RBAC variant<br /> has not yet been tested on GCS. However, the storage-credential<br /> broadening behavior itself has been confirmed on GCS.

In Apache Iceberg, the table&amp;#39;s metadata files are control files: they tell readers<br /> which data files belong to the table and which table version to read.<br /> <br /> <br /> <br /> `write.metadata.path` is an optional table property that tells Polaris<br /> where to<br /> write those metadata files. <br /> For a table already registered in a<br /> Polaris-managed<br /> catalog, changing only that property through an `ALTER TABLE`-style settings<br /> change (not a row-level `INSERT`, `SELECT`, `UPDATE`, or `DELETE`) bypasses<br /> the commit-time branch that is supposed to revalidate storage locations.<br /> <br /> The full persisted / credential-vending variant requires the affected<br /> catalog<br /> to have `polaris.config.allow.unstructured.table.location=true`, with<br /> `allowedLocations` broad enough to include the attacker-chosen target.<br /> <br /> <br /> `allowedLocations` is the admin-configured allowlist of storage paths that<br /> the<br /> catalog is allowed to use. Public project materials suggest that this flag<br /> is a<br /> real supported compatibility / layout mode, not just a contrived lab-only<br /> prerequisite.<br /> <br /> <br /> In that configuration, a user who can change table settings can cause Apache Polaris<br /> itself to write new table metadata to an attacker-chosen reachable storage<br /> location before the intended location-validation branch runs.<br /> <br /> If the later concrete-path validation also accepts that location, Polaris<br /> persists the resulting metadata path into stored table state. Later<br /> table-load<br /> and credential APIs can then return temporary cloud-storage credentials for<br /> the<br /> same location without revalidating it. In plain terms, Polaris can later<br /> hand<br /> out temporary storage access for the same attacker-chosen area.<br /> <br /> That attacker-chosen area does not need to be limited to the poisoned<br /> table&amp;#39;s<br /> own files. If it is a broader storage prefix, another table&amp;#39;s prefix, or,<br /> depending on configuration or provider behavior, even a bucket/container<br /> root,<br /> the resulting disclosure or corruption scope can extend to any data and<br /> metadata Polaris can reach there.<br /> <br /> <br /> <br /> The practical consequences are therefore similar to the staged-create<br /> credential-vending issue already discussed: data and metadata reachable in<br /> that<br /> storage scope can be exposed and, if write-capable credentials are later<br /> issued, modified, corrupted, or removed. Even before that later credential<br /> step, Polaris itself performs the metadata write to the unchecked location.<br /> <br /> So the core issue is not only later credential vending. <br /> <br /> The primary defect<br /> is<br /> that Polaris skips its intended location checks before performing a<br /> security-<br /> sensitive metadata write when only `write.metadata.path` changes.<br /> <br /> <br /> <br /> When `polaris.config.allow.unstructured.table.location=false`, current code<br /> review suggests the later `updateTableLike(...)` validation usually rejects<br /> out-of-tree metadata locations before the unsafe path is persisted. That may<br /> reduce the persisted / credential-vending variant, but it does not prevent<br /> the<br /> underlying defect: Polaris still skips the intended pre-write location check<br /> when only `write.metadata.path` changes.

PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, there is an arbitrary file write vulnerability via `save_generated_slides`. This issue has been patched via commit 418491a.

D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.