Vulnerabilities

SQL injection vulnerabilities in SportsNET affecting version 4.0.1. These vulnerabilities could allow an attacker to retrieve, update and delete all information in the database by sending a specially crafted SQL query: https://XXXXXXX.saludydesafio.com/app/ax/sendParticipationRemember/ , parameter send.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: add sanity tests to TCP_QUEUE_SEQ<br /> <br /> Qingyu Li reported a syzkaller bug where the repro<br /> changes RCV SEQ _after_ restoring data in the receive queue.<br /> <br /> mprotect(0x4aa000, 12288, PROT_READ) = 0<br /> mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000<br /> mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000<br /> mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000<br /> socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3<br /> setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0<br /> connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &amp;sin6_addr), sin6_scope_id=0}, 28) = 0<br /> setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0<br /> sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0x0000000000000003\0\0", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20<br /> setsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0<br /> setsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0<br /> recvfrom(3, NULL, 20, 0, NULL, NULL) = -1 ECONNRESET (Connection reset by peer)<br /> <br /> syslog shows:<br /> [ 111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0<br /> [ 111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0<br /> <br /> This should not be allowed. TCP_QUEUE_SEQ should only be used<br /> when queues are empty.<br /> <br /> This patch fixes this case, and the tx path as well.

The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the &amp;#39;images_array&amp;#39; parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

&amp;#39;Rakuten Ichiba App&amp;#39; for Android 12.4.0 and earlier and &amp;#39;Rakuten Ichiba App&amp;#39; for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user&amp;#39;s device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack.

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function.

extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.

The Media Library Folders plugin for WordPress is vulnerable to second order SQL Injection via the &amp;#39;sort_type&amp;#39; parameter of the &amp;#39;mlf_change_sort_type&amp;#39; AJAX action in all versions up to, and including, 8.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0

An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the Powermail Frontend plugins, an unauthenticated attacker can exploit this to edit, update, delete, or export data of persisted forms. This can only be exploited when the Powermail Frontend plugins are used. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.

NTLMSSP dissector crash in Wireshark 4.2.0 to 4.0.6 and 4.0.0 to 4.0.16 allows denial of service via packet injection or crafted capture file

Type Confusion in V8 in Google Chrome prior to 128.0.6613.113 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)