Vulnerabilities

Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Buffer Overflow vulnerability in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the AP4 BitReader::ReadCache() at Ap4Utils.cpp component.

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button Widget in all versions up to, and including, 2.8.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_post_title' shortcode in all versions up to, and including, 1.0.263 due to insufficient input sanitization and output escaping on user supplied attributes such as 'heading_type'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

in OpenHarmony v4.0.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free.

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper input.

in OpenHarmony v3.2.4 and prior versions allow a local attacker cause DOS through stack overflow.

An issue was discovered in seeyonOA version 8, allows remote attackers to execute arbitrary code via the importProcess method in WorkFlowDesignerController.class component.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups<br /> <br /> During memory error injection test on kernels &gt;= v6.4, the kernel panics<br /> like below. However, this issue couldn&amp;#39;t be reproduced on kernels

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ppp_async: limit MRU to 64K<br /> <br /> syzbot triggered a warning [1] in __alloc_pages():<br /> <br /> WARN_ON_ONCE_GFP(order &gt; MAX_PAGE_ORDER, gfp)<br /> <br /> Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K")<br /> <br /> Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)<br /> <br /> [1]:<br /> <br /> WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543<br /> Modules linked in:<br /> CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023<br /> Workqueue: events_unbound flush_to_ldisc<br /> pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543<br /> lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537<br /> sp : ffff800093967580<br /> x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000<br /> x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0<br /> x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8<br /> x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120<br /> x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005<br /> x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000<br /> x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001<br /> x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f<br /> x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020<br /> x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0<br /> Call trace:<br /> __alloc_pages+0x308/0x698 mm/page_alloc.c:4543<br /> __alloc_pages_node include/linux/gfp.h:238 [inline]<br /> alloc_pages_node include/linux/gfp.h:261 [inline]<br /> __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926<br /> __do_kmalloc_node mm/slub.c:3969 [inline]<br /> __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001<br /> kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590<br /> __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651<br /> __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715<br /> netdev_alloc_skb include/linux/skbuff.h:3235 [inline]<br /> dev_alloc_skb include/linux/skbuff.h:3248 [inline]<br /> ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]<br /> ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341<br /> tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390<br /> tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37<br /> receive_buf drivers/tty/tty_buffer.c:444 [inline]<br /> flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494<br /> process_one_work+0x694/0x1204 kernel/workqueue.c:2633<br /> process_scheduled_works kernel/workqueue.c:2706 [inline]<br /> worker_thread+0x938/0xef4 kernel/workqueue.c:2787<br /> kthread+0x288/0x310 kernel/kthread.c:388<br /> ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: Call kfree_skb() for dead unix_(sk)-&gt;oob_skb in GC.<br /> <br /> syzbot reported a warning [0] in __unix_gc() with a repro, which<br /> creates a socketpair and sends one socket&amp;#39;s fd to itself using the<br /> peer.<br /> <br /> socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0<br /> sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}],<br /> msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,<br /> cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],<br /> msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1<br /> <br /> This forms a self-cyclic reference that GC should finally untangle<br /> but does not due to lack of MSG_OOB handling, resulting in memory<br /> leak.<br /> <br /> Recently, commit 11498715f266 ("af_unix: Remove io_uring code for<br /> GC.") removed io_uring&amp;#39;s dead code in GC and revealed the problem.<br /> <br /> The code was executed at the final stage of GC and unconditionally<br /> moved all GC candidates from gc_candidates to gc_inflight_list.<br /> That papered over the reported problem by always making the following<br /> WARN_ON_ONCE(!list_empty(&amp;gc_candidates)) false.<br /> <br /> The problem has been there since commit 2aab4b969002 ("af_unix: fix<br /> struct pid leaks in OOB support") added full scm support for MSG_OOB<br /> while fixing another bug.<br /> <br /> To fix this problem, we must call kfree_skb() for unix_sk(sk)-&gt;oob_skb<br /> if the socket still exists in gc_candidates after purging collected skb.<br /> <br /> Then, we need to set NULL to oob_skb before calling kfree_skb() because<br /> it calls last fput() and triggers unix_release_sock(), where we call<br /> duplicate kfree_skb(u-&gt;oob_skb) if not NULL.<br /> <br /> Note that the leaked socket remained being linked to a global list, so<br /> kmemleak also could not detect it. We need to check /proc/net/protocol<br /> to notice the unfreed socket.<br /> <br /> [0]:<br /> WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345<br /> Modules linked in:<br /> CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br /> Workqueue: events_unbound __unix_gc<br /> RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345<br /> Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8<br /> RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e<br /> RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30<br /> RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66<br /> R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000<br /> R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001<br /> FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> process_one_work+0x889/0x15e0 kernel/workqueue.c:2633<br /> process_scheduled_works kernel/workqueue.c:2706 [inline]<br /> worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787<br /> kthread+0x2c6/0x3b0 kernel/kthread.c:388<br /> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242<br />