Vulnerabilities

IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF004 and 24.0.1 through 24.0.1 IF001 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application&amp;#39;s class name, as an HMAC session cookie secret by default.<br /> <br /> These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

A vulnerability was found in PCMan FTP Server 2.0.7 and classified as critical. Affected by this issue is some unknown functionality of the component MDELETE Command Handler. The manipulation leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability has been found in PCMan FTP Server 2.0.7 and classified as critical. Affected by this vulnerability is an unknown functionality of the component MDIR Command Handler. The manipulation leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp<br /> <br /> vmxnet3 driver&amp;#39;s XDP handling is buggy for packet sizes using ring0 (that<br /> is, packet sizes between 128 - 3k bytes).<br /> <br /> We noticed MTU-related connectivity issues with Cilium&amp;#39;s service load-<br /> balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP<br /> backend service where the XDP LB was doing IPIP encap led to overly large<br /> packet sizes but only for *some* of the packets (e.g. HTTP GET request)<br /> while others (e.g. the prior TCP 3WHS) looked completely fine on the wire.<br /> <br /> In fact, the pcap recording on the backend node actually revealed that the<br /> node with the XDP LB was leaking uninitialized kernel data onto the wire<br /> for the affected packets, for example, while the packets should have been<br /> 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes<br /> was padded with whatever other data was in that page at the time (e.g. we<br /> saw user/payload data from prior processed packets).<br /> <br /> We only noticed this through an MTU issue, e.g. when the XDP LB node and<br /> the backend node both had the same MTU (e.g. 1500) then the curl request<br /> got dropped on the backend node&amp;#39;s NIC given the packet was too large even<br /> though the IPIP-encapped packet normally would never even come close to<br /> the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let<br /> the curl request succeed (which also indicates that the kernel ignored the<br /> padding, and thus the issue wasn&amp;#39;t very user-visible).<br /> <br /> Commit e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") was too eager<br /> to also switch xdp_prepare_buff() from rcd-&gt;len to rbi-&gt;len. It really needs<br /> to stick to rcd-&gt;len which is the actual packet length from the descriptor.<br /> The latter we also feed into vmxnet3_process_xdp_small(), by the way, and<br /> it indicates the correct length needed to initialize the xdp-&gt;{data,data_end}<br /> parts. For e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") the<br /> relevant part was adapting xdp_init_buff() to address the warning given the<br /> xdp_data_hard_end() depends on xdp-&gt;frame_sz. With that fixed, traffic on<br /> the wire looks good again.

A vulnerability classified as critical has been found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0. This affects an unknown part of the file /add-computer.php. The manipulation of the argument compname/comploc leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default<br /> <br /> When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application&amp;#39;s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application&amp;#39;s sessions. This may allow an attacker to brute force the application&amp;#39;s session keys.

The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.12.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Abundatrade Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.02. This is due to missing or incorrect nonce validation on the &amp;#39;abundatrade&amp;#39; page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The Database Toolset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.4 via backup files stored in a publicly accessible location. This makes it possible for unauthenticated attackers to extract sensitive data from database backup files. An index file is present, so a brute force attack would need to be successful in order to compromise any data.

libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause a denial of service (var_set_leave_quiet assertion failure and application exit) via crafted input data, such as data that triggers a call from src/data/dictionary.c code into src/data/variable.c code.

The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register_action() function in versions 0.1 to 0.1.1. The plugin’s registration handler reads the client-supplied $_POST[&amp;#39;user_role&amp;#39;] and passes it directly to wp_insert_user() without restricting to a safe set of roles. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.