Vulnerabilities

An issue discovered in Unisys Stealth 5.3.062.0 allows attackers to view sensitive information via the Enterprise ManagementInstaller_msi.log file.

Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.

Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to visit a malicious page.

An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22.03.02.54, Tenda AX3 V3 V16.03.12.11, Tenda AX9 V1 V22.03.01.46, and Tenda AX12 V1 V22.03.01.46 allows attackers to bypass authentication on any endpoint via a crafted URL.

In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).<br />

MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user&amp;#39;s email address and username can hijack the user&amp;#39;s account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`.

SQL Injection vulnerability in MRCMS v3.1.2 allows attackers to run arbitrary system commands via the status parameter.

kedi ElectronCord is a bot management tool for Discord. Commit aaaeaf4e6c99893827b2eea4dd02f755e1e24041 exposes an account access token in the `config.json` file. Malicious actors could potentially exploit this vulnerability to gain unauthorized access to sensitive information or perform malicious actions on behalf of the repository owner. As of time of publication, it is unknown whether the owner of the repository has rotated the token or taken other mitigation steps aside from informing users of the situation.

com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: explicitly null-terminate the xattr list<br /> <br /> When setting an xattr, explicitly null-terminate the xattr list. This<br /> eliminates the fragile assumption that the unused xattr space is always<br /> zeroed.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix use-after-free in shinker&amp;#39;s callback<br /> <br /> The mmap read lock is used during the shrinker&amp;#39;s callback, which means<br /> that using alloc-&gt;vma pointer isn&amp;#39;t safe as it can race with munmap().<br /> As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in<br /> munmap") the mmap lock is downgraded after the vma has been isolated.<br /> <br /> I was able to reproduce this issue by manually adding some delays and<br /> triggering page reclaiming through the shrinker&amp;#39;s debug sysfs. The<br /> following KASAN report confirms the UAF:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8<br /> Read of size 8 at addr ffff356ed50e50f0 by task bash/478<br /> <br /> CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> zap_page_range_single+0x470/0x4b8<br /> binder_alloc_free_page+0x608/0xadc<br /> __list_lru_walk_one+0x130/0x3b0<br /> list_lru_walk_node+0xc4/0x22c<br /> binder_shrink_scan+0x108/0x1dc<br /> shrinker_debugfs_scan_write+0x2b4/0x500<br /> full_proxy_write+0xd4/0x140<br /> vfs_write+0x1ac/0x758<br /> ksys_write+0xf0/0x1dc<br /> __arm64_sys_write+0x6c/0x9c<br /> <br /> Allocated by task 492:<br /> kmem_cache_alloc+0x130/0x368<br /> vm_area_alloc+0x2c/0x190<br /> mmap_region+0x258/0x18bc<br /> do_mmap+0x694/0xa60<br /> vm_mmap_pgoff+0x170/0x29c<br /> ksys_mmap_pgoff+0x290/0x3a0<br /> __arm64_sys_mmap+0xcc/0x144<br /> <br /> Freed by task 491:<br /> kmem_cache_free+0x17c/0x3c8<br /> vm_area_free_rcu_cb+0x74/0x98<br /> rcu_core+0xa38/0x26d4<br /> rcu_core_si+0x10/0x1c<br /> __do_softirq+0x2fc/0xd24<br /> <br /> Last potentially related work creation:<br /> __call_rcu_common.constprop.0+0x6c/0xba0<br /> call_rcu+0x10/0x1c<br /> vm_area_free+0x18/0x24<br /> remove_vma+0xe4/0x118<br /> do_vmi_align_munmap.isra.0+0x718/0xb5c<br /> do_vmi_munmap+0xdc/0x1fc<br /> __vm_munmap+0x10c/0x278<br /> __arm64_sys_munmap+0x58/0x7c<br /> <br /> Fix this issue by performing instead a vma_lookup() which will fail to<br /> find the vma that was isolated before the mmap lock downgrade. Note that<br /> this option has better performance than upgrading to a mmap write lock<br /> which would increase contention. Plus, mmap_write_trylock() has been<br /> recently removed anyway.