Vulnerabilities

Users with low privileges can perform certain AJAX actions. In this vulnerability instance, improper access to ajax?action=plugin:focus:checkIframeAvailability leads to a Server-Side Request Forgery by analyzing the error messages returned from the back-end. Allowing an attacker to perform a port scan in the back-end. At the time of publication of the CVE no patch is available.<br /> <br />

Photoshop Desktop versions 24.7.2, 25.3.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Media Encoder versions 24.2.1, 23.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.

An external control of file name or path vulnerability [CWE-73] in FortiClientMac version 7.2.3 and below, version 7.0.10 and below installer may allow a local attacker to execute arbitrary code or commands via writing a malicious configuration file in /tmp before starting the installation process.

Cross-Site Request Forgery (CSRF) vulnerability in Exactly WWW EWWW Image Optimizer.This issue affects EWWW Image Optimizer: from n/a through 7.2.3.<br /> <br />

InDesign Desktop versions 18.5.1, 19.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /labels/BubbleXYItemLabelGenerator.java. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server.  Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.<br /> <br /> Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute.  ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.<br /> Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.

Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution on the underlying filesystem. Exploitation of this issue does not require user interaction, but the attack complexity is high.

Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality and integrity are considered high due to having admin impact.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check<br /> <br /> taprio_parse_tc_entry() is not correctly checking<br /> TCA_TAPRIO_TC_ENTRY_INDEX attribute:<br /> <br /> int tc; // Signed value<br /> <br /> tc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);<br /> if (tc &gt;= TC_QOPT_MAX_QUEUE) {<br /> NL_SET_ERR_MSG_MOD(extack, "TC entry index out of range");<br /> return -ERANGE;<br /> }<br /> <br /> syzbot reported that it could fed arbitary negative values:<br /> <br /> UBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18<br /> shift exponent -2147418108 is negative<br /> CPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106<br /> ubsan_epilogue lib/ubsan.c:217 [inline]<br /> __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386<br /> taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline]<br /> taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline]<br /> taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877<br /> taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134<br /> qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355<br /> tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776<br /> rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617<br /> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]<br /> netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367<br /> netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:745<br /> ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584<br /> ___sys_sendmsg net/socket.c:2638 [inline]<br /> __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667<br /> do_syscall_64+0xf9/0x240<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> RIP: 0033:0x7f1b2dea3759<br /> Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759<br /> RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004<br /> RBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000<br /> R10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340<br /> R13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340