Vulnerabilities

Integer overflow vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f in the shopping cart functionality. The issue lies in the quantity parameter in the CartController's AddToCart method.

An improper access control vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, allowing users to submit reviews without verifying if they have purchased the product.

A vulnerability was found in ruifang-tech Rebuild 3.8.6. It has been classified as problematic. This affects an unknown part of the file /user/admin-verify of the component Admin Verification Page. The manipulation of the argument nexturl with the input http://localhost/evil.html leads to open redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in WISI Tangram GT31 up to 20241214 and classified as problematic. Affected by this issue is some unknown functionality of the component HTTP Request Handler. The manipulation leads to server-side request forgery. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in Netgear R6900P and R7000P 1.3.3.154 and classified as critical. Affected by this vulnerability is the function sub_16C4C of the component HTTP Header Handler. The manipulation of the argument Host leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a reflected cross-site scripting (XSS) vulnerability exists in the LinkAce. This issue occurs in the "URL" field of the "Edit Link" module, where user input is not properly sanitized or encoded before being reflected in the HTML response. This allows attackers to inject and execute arbitrary JavaScript in the context of the victim’s browser, leading to potential session hijacking, data theft, and unauthorized actions. This vulnerability is fixed in 1.15.6.

LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a file upload vulnerability exists in the LinkAce. This issue occurs in the "Import Bookmarks" functionality, where malicious HTML files can be uploaded containing JavaScript payloads. These payloads execute when the uploaded links are accessed, leading to potential reflected or persistent XSS scenarios. This vulnerability is fixed in 1.15.6.

changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur when user input is used to construct file paths without adequate sanitization or validation. For example, using file:../../../etc/passwd or file: ///etc/passwd can bypass weak validations and allow unauthorized access to sensitive files. Even though this has been addressed in previous patch, it is still insufficient. This vulnerability is fixed in 0.48.05.

A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

A vulnerability, which was classified as critical, has been found in DrayTek Vigor2960 and Vigor300B 1.5.1.3/1.5.1.4. This issue affects some unknown processing of the file /cgi-bin/mainfunction.cgi/apmcfgupptim of the component Web Management Interface. The manipulation of the argument session leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: mm: Do not call pmd dtor on vmemmap page table teardown<br /> <br /> The vmemmap&amp;#39;s, which is used for RV64 with SPARSEMEM_VMEMMAP, page<br /> tables are populated using pmd (page middle directory) hugetables.<br /> However, the pmd allocation is not using the generic mechanism used by<br /> the VMA code (e.g. pmd_alloc()), or the RISC-V specific<br /> create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table<br /> code allocates a page, and calls vmemmap_set_pmd(). This results in<br /> that the pmd ctor is *not* called, nor would it make sense to do so.<br /> <br /> Now, when tearing down a vmemmap page table pmd, the cleanup code<br /> would unconditionally, and incorrectly call the pmd dtor, which<br /> results in a crash (best case).<br /> <br /> This issue was found when running the HMM selftests:<br /> <br /> | tools/testing/selftests/mm# ./test_hmm.sh smoke<br /> | ... # when unloading the test_hmm.ko module<br /> | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b<br /> | flags: 0x1000000000000000(node=0|zone=1)<br /> | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000<br /> | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000<br /> | page dumped because: VM_BUG_ON_PAGE(ptdesc-&gt;pmd_huge_pte)<br /> | ------------[ cut here ]------------<br /> | kernel BUG at include/linux/mm.h:3080!<br /> | Kernel BUG [#1]<br /> | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod<br /> | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2<br /> | Tainted: [W]=WARN<br /> | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024<br /> | epc : remove_pgd_mapping+0xbec/0x1070<br /> | ra : remove_pgd_mapping+0xbec/0x1070<br /> | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940<br /> | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04<br /> | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50<br /> | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008<br /> | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000<br /> | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8<br /> | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000<br /> | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000<br /> | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0<br /> | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00<br /> | t5 : ff60000080244000 t6 : ff20000000a73708<br /> | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003<br /> | [] remove_pgd_mapping+0xbec/0x1070<br /> | [] vmemmap_free+0x14/0x1e<br /> | [] section_deactivate+0x220/0x452<br /> | [] sparse_remove_section+0x4a/0x58<br /> | [] __remove_pages+0x7e/0xba<br /> | [] memunmap_pages+0x2bc/0x3fe<br /> | [] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]<br /> | [] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]<br /> | [] __riscv_sys_delete_module+0x15a/0x2a6<br /> | [] do_trap_ecall_u+0x1f2/0x266<br /> | [] _new_vmalloc_restore_context_a0+0xc6/0xd2<br /> | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597<br /> | ---[ end trace 0000000000000000 ]---<br /> | Kernel panic - not syncing: Fatal exception in interrupt<br /> <br /> Add a check to avoid calling the pmd dtor, if the calling context is<br /> vmemmap_free().