Vulnerabilities

An Incorrect Synchronization vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker with low privileges to cause a complete Denial-of-Service (DoS) of the management plane.<br /> <br /> When NETCONF sessions are quickly established and disconnected, a locking issue causes mgd processes to hang in an unusable state. When the maximum number of mgd processes has been reached, no new logins are possible. This leads to the inability to manage the device and requires a power-cycle to recover.<br /> <br /> This issue can be monitored by checking for mgd processes in lockf state in the output of &amp;#39;show system processes extensive&amp;#39;:<br /> <br /> user@host&gt; show system processes extensive | match mgd<br /> root       20   0 501M 4640K lockf   1 0:01 0.00% mgd<br /> <br /> <br /> If the system still can be accessed (either via the CLI or as root, which might still be possible as last resort as this won&amp;#39;t invoke mgd), mgd processes in this state can be killed with &amp;#39;request system process terminate &amp;#39; from the CLI or with &amp;#39;kill -9 &amp;#39; from the shell. <br /> <br /> <br /> <br /> <br /> This issue affects:<br /> <br /> Junos OS:<br /> <br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2-S1,<br /> * 24.4 versions before 24.4R1-S3, 24.4R2;<br /> <br /> <br /> <br /> <br /> This issue does not affect Junos OS versions before 23.4R1;<br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> * 23.4 versions before 23.4R2-S5-EVO,<br /> * 24.2 versions before 24.2R2-S1-EVO,<br /> * 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO.<br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue does not affect Junos OS Evolved versions before 23.4R1-EVO;

An Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the <br /> <br /> list filter field that, when visited by another user, enables the attacker to execute commands with the target&amp;#39;s permissions, including an administrator.<br /> <br /> This issue affects all versions of Junos Space before 24.1R5 Patch V3.

A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root.<br /> <br /> The CLI menu accepts input without carefully validating it, which allows for shell command injection. These shell commands are executed with root permissions and can be used to gain complete control of the system.<br /> <br /> This issue affects all JSI vLWC versions before 3.0.94.

A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.<br /> <br /> When after a user has performed a specific &amp;#39;file link ...&amp;#39; CLI operation, another user commits (unrelated configuration changes), the first user can login as root.<br /> <br /> This issue affects Junos OS:<br /> * all versions before 23.2R2-S7,<br /> * 23.4 versions before 23.4R2-S6,<br /> * 24.2 versions before 24.2R2-S3,<br /> * 24.4 versions before 24.4R2-S2,<br /> * 25.2 versions before 25.2R2.<br /> <br /> <br /> This issue does not affect versions 25.4R1 or later.

A Buffer Copy without Checking Size of Input (&amp;#39;Classic Buffer Overflow&amp;#39;) vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).An attacker sending crafted multicast packets will cause line cards running evo-aftmand/evo-pfemand to crash and restart or non-line card devices to crash and restart. Continued receipt and processing of these packets will sustain the Denial of Service (DoS) condition.<br /> <br /> This issue affects Junos OS Evolved PTX Series:<br /> <br /> <br /> <br /> * All versions before 22.4R3-S8-EVO,<br /> * from 23.2 before 23.2R2-S5-EVO,<br /> * from 23.4 before 23.4R2-EVO,<br /> * from 24.2 before 24.2R2-EVO,<br /> * from 24.4 before 24.4R2-EVO.<br /> <br /> <br /> <br /> <br /> This issue affects Junos OS Evolved on QFX5000 Series:<br /> <br /> <br /> <br /> * 22.2-EVO version before 22.2R3-S7-EVO,<br /> * 22.4-EVO version before 22.4R3-S7-EVO,<br /> * 23.2-EVO versions before 23.2R2-S4-EVO,<br /> * 23.4-EVO versions before 23.4R2-S5-EVO, <br /> * 24.2-EVO versions before 24.2R2-S1-EVO,<br /> * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.<br /> <br /> <br /> This issue does not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO.

A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM <br /> <br /> attacker to impersonate managed devices.<br /> <br /> Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials.<br /> <br /> This issue affects all versions of Apstra before 6.1.1.

A flaw has been found in D-Link DIR-605L 2.13B01. Affected by this issue is the function formSetMACFilter of the file /goform/formSetMACFilter of the component POST Request Handler. This manipulation of the argument curTime causes buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

A vulnerability was detected in D-Link DIR-605L 2.13B01. Affected by this vulnerability is the function formVirtualServ of the file /goform/formVirtualServ of the component POST Request Handler. The manipulation of the argument curTime results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument wifiOff can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument mode leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.

Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier size confusion. A heap buffer overflow occurs when converting an X.509 certificate internally due to incorrect size handling of the AuthorityKeyIdentifier extension.

SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, tags with src attributes survive Mermaid&amp;#39;s internal DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL. On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim&amp;#39;s NTLMv2 hash to the attacker. This vulnerability is fixed in 3.6.4.