Vulnerabilities

Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function.

A Directory Listing Vulnerability was found in the /osms/Requester/ directory of the Kashipara Online Service Management Portal V1.0.

kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in /osms/Requester/Requesterchangepass.php via the parameter: rPassword.

kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in osms/Requester/CheckStatus.php via the checkid parameter.

An issue in the /usr/local/bin/jncs.sh script of Gefen WebFWC (In AV over IP products) v1.85h, v1.86v, and v1.70 allows attackers with network access to connect to the device over TCP port 4444 without authentication and execute arbitrary commands with root privileges.

A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: consider that tail calls invalidate packet pointers<br /> <br /> Tail-called programs could execute any of the helpers that invalidate<br /> packet pointers. Hence, conservatively assume that each tail call<br /> invalidates packet pointers.<br /> <br /> Making the change in bpf_helper_changes_pkt_data() automatically makes<br /> use of check_cfg() logic that computes &amp;#39;changes_pkt_data&amp;#39; effect for<br /> global sub-programs, such that the following program could be<br /> rejected:<br /> <br /> int tail_call(struct __sk_buff *sk)<br /> {<br /> bpf_tail_call_static(sk, &amp;jmp_table, 0);<br /> return 0;<br /> }<br /> <br /> SEC("tc")<br /> int not_safe(struct __sk_buff *sk)<br /> {<br /> int *p = (void *)(long)sk-&gt;data;<br /> ... make p valid ...<br /> tail_call(sk);<br /> *p = 42; /* this is unsafe */<br /> ...<br /> }<br /> <br /> The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that<br /> can invalidate packet pointers. Otherwise, it can&amp;#39;t be freplaced with<br /> tailcall_freplace.c:entry_freplace() that does a tail call.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: check changes_pkt_data property for extension programs<br /> <br /> When processing calls to global sub-programs, verifier decides whether<br /> to invalidate all packet pointers in current state depending on the<br /> changes_pkt_data property of the global sub-program.<br /> <br /> Because of this, an extension program replacing a global sub-program<br /> must be compatible with changes_pkt_data property of the sub-program<br /> being replaced.<br /> <br /> This commit:<br /> - adds changes_pkt_data flag to struct bpf_prog_aux:<br /> - this flag is set in check_cfg() for main sub-program;<br /> - in jit_subprogs() for other sub-programs;<br /> - modifies bpf_check_attach_btf_id() to check changes_pkt_data flag;<br /> - moves call to check_attach_btf_id() after the call to check_cfg(),<br /> because it needs changes_pkt_data flag to be set:<br /> <br /> bpf_check:<br /> ... ...<br /> - check_attach_btf_id resolve_pseudo_ldimm64<br /> resolve_pseudo_ldimm64 --&gt; bpf_prog_is_offloaded<br /> bpf_prog_is_offloaded check_cfg<br /> check_cfg + check_attach_btf_id<br /> ... ...<br /> <br /> The following fields are set by check_attach_btf_id():<br /> - env-&gt;ops<br /> - prog-&gt;aux-&gt;attach_btf_trace<br /> - prog-&gt;aux-&gt;attach_func_name<br /> - prog-&gt;aux-&gt;attach_func_proto<br /> - prog-&gt;aux-&gt;dst_trampoline<br /> - prog-&gt;aux-&gt;mod<br /> - prog-&gt;aux-&gt;saved_dst_attach_type<br /> - prog-&gt;aux-&gt;saved_dst_prog_type<br /> - prog-&gt;expected_attach_type<br /> <br /> Neither of these fields are used by resolve_pseudo_ldimm64() or<br /> bpf_prog_offload_verifier_prep() (for netronome and netdevsim<br /> drivers), so the reordering is safe.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: track changes_pkt_data property for global functions<br /> <br /> When processing calls to certain helpers, verifier invalidates all<br /> packet pointers in a current state. For example, consider the<br /> following program:<br /> <br /> __attribute__((__noinline__))<br /> long skb_pull_data(struct __sk_buff *sk, __u32 len)<br /> {<br /> return bpf_skb_pull_data(sk, len);<br /> }<br /> <br /> SEC("tc")<br /> int test_invalidate_checks(struct __sk_buff *sk)<br /> {<br /> int *p = (void *)(long)sk-&gt;data;<br /> if ((void *)(p + 1) &gt; (void *)(long)sk-&gt;data_end) return TCX_DROP;<br /> skb_pull_data(sk, 0);<br /> *p = 42;<br /> return TCX_PASS;<br /> }<br /> <br /> After a call to bpf_skb_pull_data() the pointer &amp;#39;p&amp;#39; can&amp;#39;t be used<br /> safely. See function filter.c:bpf_helper_changes_pkt_data() for a list<br /> of such helpers.<br /> <br /> At the moment verifier invalidates packet pointers when processing<br /> helper function calls, and does not traverse global sub-programs when<br /> processing calls to global sub-programs. This means that calls to<br /> helpers done from global sub-programs do not invalidate pointers in<br /> the caller state. E.g. the program above is unsafe, but is not<br /> rejected by verifier.<br /> <br /> This commit fixes the omission by computing field<br /> bpf_subprog_info-&gt;changes_pkt_data for each sub-program before main<br /> verification pass.<br /> changes_pkt_data should be set if:<br /> - subprogram calls helper for which bpf_helper_changes_pkt_data<br /> returns true;<br /> - subprogram calls a global function,<br /> for which bpf_subprog_info-&gt;changes_pkt_data should be set.<br /> <br /> The verifier.c:check_cfg() pass is modified to compute this<br /> information. The commit relies on depth first instruction traversal<br /> done by check_cfg() and absence of recursive function calls:<br /> - check_cfg() would eventually visit every call to subprogram S in a<br /> state when S is fully explored;<br /> - when S is fully explored:<br /> - every direct helper call within S is explored<br /> (and thus changes_pkt_data is set if needed);<br /> - every call to subprogram S1 called by S was visited with S1 fully<br /> explored (and thus S inherits changes_pkt_data from S1).<br /> <br /> The downside of such approach is that dead code elimination is not<br /> taken into account: if a helper call inside global function is dead<br /> because of current configuration, verifier would conservatively assume<br /> that the call occurs for the purpose of the changes_pkt_data<br /> computation.

Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions.<br /> <br /> <br /> <br /> <br /> <br /> This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.