Vulnerabilities

A Stored Cross Site Scripting (XSS) vulnerability was found in "/music/ajax.php?action=save_playlist" in Kashipara Music Management System v1.0. This vulnerability allows remote attackers to execute arbitrary code via "title" & "description" parameter fields.

There is an Open Redirect vulnerability in Gnuboard v6.0.4 and below via the `url` parameter in login path.

A vulnerability was determined in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. This affects the function rename of the file /Admin/Http/Controllers/FileManagerController.php. This manipulation of the argument new_name causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.6.0 is able to mitigate this issue. The affected component should be upgraded.

A vulnerability was identified in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. This vulnerability affects the function exportZip of the file /admin/file_manager/export. Such manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.6.0 is able to resolve this issue. It is suggested to upgrade the affected component.

Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. <br /> <br /> This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)<br /> <br /> Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.

A vulnerability classified as critical has been found in TOTOLINK T10 AC1200 4.1.8cu.5207. Affected is an unknown function of the file /squashfs-root/web_cste/cgi-bin/product.ini of the component Telnet Service. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. Affected by this issue is the function destroyFiles of the file /admin/file_manager/files. The manipulation of the argument files results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 1.6.0 can resolve this issue. You should upgrade the affected component.

Tenda AX1806 v1.0.0.1 contains a stack overflow via the adv.iptv.stballvlans parameter in the function setIptvInfo.

Tenda AX1806 v1.0.0.1 contains a stack overflow via the adv.iptv.stbpvid parameter in the function setIptvInfo.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to cover read extent cache access with lock<br /> <br /> syzbot reports a f2fs bug as below:<br /> <br /> BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46<br /> Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097<br /> <br /> CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:488<br /> kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46<br /> do_read_inode fs/f2fs/inode.c:509 [inline]<br /> f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560<br /> f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237<br /> generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413<br /> exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444<br /> exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584<br /> do_handle_to_path fs/fhandle.c:155 [inline]<br /> handle_to_path fs/fhandle.c:210 [inline]<br /> do_handle_open+0x495/0x650 fs/fhandle.c:226<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> We missed to cover sanity_check_extent_cache() w/ extent cache lock,<br /> so, below race case may happen, result in use after free issue.<br /> <br /> - f2fs_iget<br /> - do_read_inode<br /> - f2fs_init_read_extent_tree<br /> : add largest extent entry in to cache<br /> - shrink<br /> - f2fs_shrink_read_extent_tree<br /> - __shrink_extent_tree<br /> - __detach_extent_node<br /> : drop largest extent entry<br /> - sanity_check_extent_cache<br /> : access et-&gt;largest w/o lock<br /> <br /> let&amp;#39;s refactor sanity_check_extent_cache() to avoid extent cache access<br /> and call it before f2fs_init_read_extent_tree() to fix this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC<br /> <br /> syzbot reports a f2fs bug as below:<br /> <br /> ------------[ cut here ]------------<br /> kernel BUG at fs/f2fs/inline.c:258!<br /> CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0<br /> RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258<br /> Call Trace:<br /> f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834<br /> f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]<br /> __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]<br /> f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315<br /> do_writepages+0x35b/0x870 mm/page-writeback.c:2612<br /> __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650<br /> writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941<br /> wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117<br /> wb_do_writeback fs/fs-writeback.c:2264 [inline]<br /> wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304<br /> process_one_work kernel/workqueue.c:3254 [inline]<br /> process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335<br /> worker_thread+0x86d/0xd70 kernel/workqueue.c:3416<br /> kthread+0x2f2/0x390 kernel/kthread.c:388<br /> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> The root cause is: inline_data inode can be fuzzed, so that there may<br /> be valid blkaddr in its direct node, once f2fs triggers background GC<br /> to migrate the block, it will hit f2fs_bug_on() during dirty page<br /> writeback.<br /> <br /> Let&amp;#39;s add sanity check on F2FS_INLINE_DATA flag in inode during GC,<br /> so that, it can forbid migrating inline_data inode&amp;#39;s data block for<br /> fixing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jfs: fix null ptr deref in dtInsertEntry<br /> <br /> [syzbot reported]<br /> general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI<br /> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]<br /> CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024<br /> RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713<br /> ...<br /> [Analyze]<br /> In dtInsertEntry(), when the pointer h has the same value as p, after writing<br /> name in UniStrncpy_to_le(), p-&gt;header.flag will be cleared. This will cause the<br /> previously true judgment "p-&gt;header.flag &amp; BT-LEAF" to change to no after writing<br /> the name operation, this leads to entering an incorrect branch and accessing the<br /> uninitialized object ih when judging this condition for the second time.<br /> <br /> [Fix]<br /> After got the page, check freelist first, if freelist == 0 then exit dtInsert()<br /> and return -EINVAL.