Vulnerabilities

Improper Control of Generation of Code ('Code Injection') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows Code Injection.This issue affects MDTF: from n/a through

A vulnerability classified as critical has been found in Project Worlds Online Time Table Generator 1.0. Affected is an unknown function of the file /timetable/admin/admindashboard.php?info=add_course. The manipulation of the argument c leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.<br /> <br /> For this to impact an application, all of the following must be true:<br /> <br /> * It must be a WebFlux application<br /> * It must be using Spring&amp;#39;s static resources support<br /> * It must have a non-permitAll authorization rule applied to the static resources support

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site&amp;#39;s server, adding an arbitrary PHP code to it, which may make remote code execution possible.

Use of potentially dangerous function issue exists in Chatwork Desktop Application (Windows) versions prior to 2.9.2. If a user clicks a specially crafted link in the application, an arbitrary file may be downloaded from an external website and executed. As a result, arbitrary code may be executed on the device that runs Chatwork Desktop Application (Windows).

SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users&amp;#39; jobs. This is limited to jobs explicitly running with --stepmgr, or on systems that have globally enabled stepmgr via SlurmctldParameters=enable_stepmgr in their configuration.

The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities.

The eHRD CTMS from Sunnet has an Insecure Direct Object Reference (IDOR) vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to access arbitrary files uploaded by any user.

The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents.

Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Genians Genian NAC V5.0, Genians Genian NAC LTS V5.0.This issue affects Genian NAC V5.0: from V5.0.0 through V5.0.60; Genian NAC LTS V5.0: from 5.0.0 LTS through 5.0.55 LTS(Revision 125558), from 5.0.0 LTS through 5.0.56 LTS(Revision 125560).

A vulnerability was found in Tenda AC1206 up to 20241027. It has been classified as critical. This affects the function ate_Tenda_mfg_check_usb/ate_Tenda_mfg_check_usb3 of the file /goform/ate. The manipulation of the argument arg leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> uprobe: avoid out-of-bounds memory access of fetching args<br /> <br /> Uprobe needs to fetch args into a percpu buffer, and then copy to ring<br /> buffer to avoid non-atomic context problem.<br /> <br /> Sometimes user-space strings, arrays can be very large, but the size of<br /> percpu buffer is only page size. And store_trace_args() won&amp;#39;t check<br /> whether these data exceeds a single page or not, caused out-of-bounds<br /> memory access.<br /> <br /> It could be reproduced by following steps:<br /> 1. build kernel with CONFIG_KASAN enabled<br /> 2. save follow program as test.c<br /> <br /> ```<br /> \#include <br /> \#include <br /> \#include <br /> <br /> // If string length large than MAX_STRING_SIZE, the fetch_store_strlen()<br /> // will return 0, cause __get_data_size() return shorter size, and<br /> // store_trace_args() will not trigger out-of-bounds access.<br /> // So make string length less than 4096.<br /> \#define STRLEN 4093<br /> <br /> void generate_string(char *str, int n)<br /> {<br /> int i;<br /> for (i = 0; i uprobe_events<br /> echo 1 &gt; events/uprobes/enable<br /> echo 1 &gt; tracing_on<br /> ```<br /> <br /> 6. run `test`, and kasan will report error.<br /> ==================================================================<br /> BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0<br /> Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18<br /> Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x55/0x70<br /> print_address_description.constprop.0+0x27/0x310<br /> kasan_report+0x10f/0x120<br /> ? strncpy_from_user+0x1d6/0x1f0<br /> strncpy_from_user+0x1d6/0x1f0<br /> ? rmqueue.constprop.0+0x70d/0x2ad0<br /> process_fetch_insn+0xb26/0x1470<br /> ? __pfx_process_fetch_insn+0x10/0x10<br /> ? _raw_spin_lock+0x85/0xe0<br /> ? __pfx__raw_spin_lock+0x10/0x10<br /> ? __pte_offset_map+0x1f/0x2d0<br /> ? unwind_next_frame+0xc5f/0x1f80<br /> ? arch_stack_walk+0x68/0xf0<br /> ? is_bpf_text_address+0x23/0x30<br /> ? kernel_text_address.part.0+0xbb/0xd0<br /> ? __kernel_text_address+0x66/0xb0<br /> ? unwind_get_return_address+0x5e/0xa0<br /> ? __pfx_stack_trace_consume_entry+0x10/0x10<br /> ? arch_stack_walk+0xa2/0xf0<br /> ? _raw_spin_lock_irqsave+0x8b/0xf0<br /> ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> ? depot_alloc_stack+0x4c/0x1f0<br /> ? _raw_spin_unlock_irqrestore+0xe/0x30<br /> ? stack_depot_save_flags+0x35d/0x4f0<br /> ? kasan_save_stack+0x34/0x50<br /> ? kasan_save_stack+0x24/0x50<br /> ? mutex_lock+0x91/0xe0<br /> ? __pfx_mutex_lock+0x10/0x10<br /> prepare_uprobe_buffer.part.0+0x2cd/0x500<br /> uprobe_dispatcher+0x2c3/0x6a0<br /> ? __pfx_uprobe_dispatcher+0x10/0x10<br /> ? __kasan_slab_alloc+0x4d/0x90<br /> handler_chain+0xdd/0x3e0<br /> handle_swbp+0x26e/0x3d0<br /> ? __pfx_handle_swbp+0x10/0x10<br /> ? uprobe_pre_sstep_notifier+0x151/0x1b0<br /> irqentry_exit_to_user_mode+0xe2/0x1b0<br /> asm_exc_int3+0x39/0x40<br /> RIP: 0033:0x401199<br /> Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce<br /> RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206<br /> RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2<br /> RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0<br /> RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20<br /> R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040<br /> R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000<br /> <br /> <br /> This commit enforces the buffer&amp;#39;s maxlen less than a page-size to avoid<br /> store_trace_args() out-of-memory access.