Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> remoteproc: core: Fix ida_free call while not allocated<br /> <br /> In the rproc_alloc() function, on error, put_device(&amp;rproc-&gt;dev) is<br /> called, leading to the call of the rproc_type_release() function.<br /> An error can occurs before ida_alloc is called.<br /> <br /> In such case in rproc_type_release(), the condition (rproc-&gt;index &gt;= 0) is<br /> true as rproc-&gt;index has been initialized to 0.<br /> ida_free() is called reporting a warning:<br /> [ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164<br /> [ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0<br /> [ 4.188854] ida_free called for id=0 which is not allocated.<br /> [ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000<br /> [ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+)<br /> [ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442<br /> [ 4.231481] Hardware name: STM32 (Device Tree Support)<br /> [ 4.236627] Workqueue: events_unbound deferred_probe_work_func<br /> [ 4.242504] Call trace:<br /> [ 4.242522] unwind_backtrace from show_stack+0x10/0x14<br /> [ 4.250218] show_stack from dump_stack_lvl+0x50/0x64<br /> [ 4.255274] dump_stack_lvl from __warn+0x80/0x12c<br /> [ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188<br /> [ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164<br /> [ 4.270565] ida_free from rproc_type_release+0x38/0x60<br /> [ 4.275832] rproc_type_release from device_release+0x30/0xa0<br /> [ 4.281601] device_release from kobject_put+0xc4/0x294<br /> [ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c<br /> [ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4<br /> [ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc]<br /> [ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc<br /> <br /> Calling ida_alloc earlier in rproc_alloc ensures that the rproc-&gt;index is<br /> properly set.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: media: max96712: fix kernel oops when removing module<br /> <br /> The following kernel oops is thrown when trying to remove the max96712<br /> module:<br /> <br /> Unable to handle kernel paging request at virtual address 00007375746174db<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000<br /> [00007375746174db] pgd=0000000000000000, p4d=0000000000000000<br /> Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan<br /> snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2<br /> imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev<br /> snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils<br /> max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse<br /> [last unloaded: imx8_isi]<br /> CPU: 0 UID: 0 PID: 754 Comm: rmmod<br /> Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17<br /> Tainted: [C]=CRAP<br /> Hardware name: NXP i.MX95 19X19 board (DT)<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : led_put+0x1c/0x40<br /> lr : v4l2_subdev_put_privacy_led+0x48/0x58<br /> sp : ffff80008699bbb0<br /> x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000<br /> x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000<br /> x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8<br /> x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000<br /> x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010<br /> x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d<br /> x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1<br /> x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473<br /> Call trace:<br /> led_put+0x1c/0x40<br /> v4l2_subdev_put_privacy_led+0x48/0x58<br /> v4l2_async_unregister_subdev+0x2c/0x1a4<br /> max96712_remove+0x1c/0x38 [max96712]<br /> i2c_device_remove+0x2c/0x9c<br /> device_remove+0x4c/0x80<br /> device_release_driver_internal+0x1cc/0x228<br /> driver_detach+0x4c/0x98<br /> bus_remove_driver+0x6c/0xbc<br /> driver_unregister+0x30/0x60<br /> i2c_del_driver+0x54/0x64<br /> max96712_i2c_driver_exit+0x18/0x1d0 [max96712]<br /> __arm64_sys_delete_module+0x1a4/0x290<br /> invoke_syscall+0x48/0x10c<br /> el0_svc_common.constprop.0+0xc0/0xe0<br /> do_el0_svc+0x1c/0x28<br /> el0_svc+0x34/0xd8<br /> el0t_64_sync_handler+0x120/0x12c<br /> el0t_64_sync+0x190/0x194<br /> Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400)<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata()<br /> is called again and the data is overwritten to point to sd, instead of<br /> priv. So, in remove(), the wrong pointer is passed to<br /> v4l2_async_unregister_subdev(), leading to a crash.

A vulnerability was found in Seeyon Zhiyuan Interconnect FE Collaborative Office Platform up to 20250224. It has been rated as critical. Affected by this issue is some unknown functionality of the file /security/addUser.jsp. The manipulation of the argument groupId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

An issue in TAAGSOLUTIONS GmbH MyTaag v.2024-11-24 and before allows a remote attacker to escalate privileges via the "/user" endpoint

An issue in TAAGSOLUTIONS GmbH MyTaag v.2024-11-24 and before allows a physically proximate attacker to escalate privileges via the "2fa_authorized" Local Storage key

An issue in TAAGSOLUTIONS GmbH MyTaag v.2024-11-24 and before allows a remote attacker to escalate privileges via the deactivation of the activated second factor to the /session endpoint

A vulnerability was found in MicroDicom DICOM Viewer 2025.1 Build 3321. It has been classified as critical. Affected is an unknown function of the file mDicom.exe. The manipulation leads to memory corruption. The attack needs to be approached locally. It is recommended to upgrade the affected component. The vendor quickly confirmed the existence of the vulnerability and fixed it in the latest beta.

Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Finder Fire Safety Finder ERP/CRM (New System) allows SQL Injection.This issue affects Finder ERP/CRM (New System): before 18.12.2024.

A SQL Injection vulnerability has been identified in EPICOR Prophet 21 (P21) up to 23.2.5232. This vulnerability allows authenticated remote attackers to execute arbitrary SQL commands through unsanitized user input fields to obtain unauthorized information

Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in AtaksAPP Reservation Management System allows Cross-Site Scripting (XSS).This issue affects Reservation Management System: before 4.2.3.

Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Finder Fire Safety Finder ERP/CRM (Old System) allows SQL Injection.This issue affects Finder ERP/CRM (Old System): before 18.12.2024.

Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to command injection. <br /> During the initialization process, a user has to use a mobile app to provide devices with Access Point credentials. This input is not properly sanitized, what allows for command injection.<br /> The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well.