Vulnerabilities

Lua apps can be deployed, removed, started, reloaded or stopped without authorization via<br /> AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write<br /> files or load apps that use all features of the product available to a customer.

The authentication process to the web server uses a challenge response procedure which<br /> inludes the nonce and additional information. This challenge can be used several times for login and is<br /> therefore vulnerable for a replay attack.

Since the firmware update is not validated, an attacker can install modified firmware on the<br /> device. This has a high impact on the availabilty, integrity and confidentiality up to the complete compromise of the device.

The product is vulnerable to pass-the-hash attacks in combination with hardcoded credentials of hidden user levels. This means that an attacker can log in with the hidden user levels and gain<br /> full access to the device.

Due to missing input validation during one step of the firmware update process, the product<br /> is vulnerable to remote code execution. With network access and the user level ”Service”, an attacker<br /> can execute arbitrary system commands in the root user’s contexts.

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.

The KiviCare – Clinic &amp; Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;sort[]&amp;#39; parameter of the static_data_list AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor/receptionist-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The KiviCare – Clinic &amp; Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;service_list[0][service_id]&amp;#39; parameter of the get_widget_payment_options AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ipset: add missing range check in bitmap_ip_uadt<br /> <br /> When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,<br /> the values of ip and ip_to are slightly swapped. Therefore, the range check<br /> for ip should be done later, but this part is missing and it seems that the<br /> vulnerability occurs.<br /> <br /> So we should add missing range checks and remove unnecessary range checks.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> initramfs: avoid filename buffer overrun<br /> <br /> The initramfs filename field is defined in<br /> Documentation/driver-api/early-userspace/buffer-format.rst as:<br /> <br /> 37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data<br /> ...<br /> 55 ============= ================== =========================<br /> 56 Field name Field size Meaning<br /> 57 ============= ================== =========================<br /> ...<br /> 70 c_namesize 8 bytes Length of filename, including final \0<br /> <br /> When extracting an initramfs cpio archive, the kernel&amp;#39;s do_name() path<br /> handler assumes a zero-terminated path at @collected, passing it<br /> directly to filp_open() / init_mkdir() / init_mknod().<br /> <br /> If a specially crafted cpio entry carries a non-zero-terminated filename<br /> and is followed by uninitialized memory, then a file may be created with<br /> trailing characters that represent the uninitialized memory. The ability<br /> to create an initramfs entry would imply already having full control of<br /> the system, so the buffer overrun shouldn&amp;#39;t be considered a security<br /> vulnerability.<br /> <br /> Append the output of the following bash script to an existing initramfs<br /> and observe any created /initramfs_test_fname_overrunAA* path. E.g.<br /> ./reproducer.sh | gzip &gt;&gt; /myinitramfs<br /> <br /> It&amp;#39;s easiest to observe non-zero uninitialized memory when the output is<br /> gzipped, as it&amp;#39;ll overflow the heap allocated @out_buf in __gunzip(),<br /> rather than the initrd_start+initrd_size block.<br /> <br /> ---- reproducer.sh ----<br /> nilchar="A" # change to "\0" to properly zero terminate / pad<br /> magic="070701"<br /> ino=1<br /> mode=$(( 0100777 ))<br /> uid=0<br /> gid=0<br /> nlink=1<br /> mtime=1<br /> filesize=0<br /> devmajor=0<br /> devminor=1<br /> rdevmajor=0<br /> rdevminor=0<br /> csum=0<br /> fname="initramfs_test_fname_overrun"<br /> namelen=$(( ${#fname} + 1 )) # plus one to account for terminator<br /> <br /> printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \<br /> $magic $ino $mode $uid $gid $nlink $mtime $filesize \<br /> $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname<br /> <br /> termpadlen=$(( 1 + ((4 - ((110 + $namelen) &amp; 3)) % 4) ))<br /> printf "%.s${nilchar}" $(seq 1 $termpadlen)<br /> ---- reproducer.sh ----<br /> <br /> Symlink filename fields handled in do_symlink() won&amp;#39;t overrun past the<br /> data segment, due to the explicit zero-termination of the symlink<br /> target.<br /> <br /> Fix filename buffer overrun by aborting the initramfs FSM if any cpio<br /> entry doesn&amp;#39;t carry a zero-terminator at the expected (name_len - 1)<br /> offset.

The The Pojo Forms plugin for WordPress is vulnerable to arbitrary shortcode execution via form_preview_shortcode AJAX action in all versions up to, and including, 1.4.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. This was partially fixed in version 1.4.8.