Vulnerabilidades

*** Pendiente de traducción *** SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details.

*** Pendiente de traducción *** MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table and column names.

*** Pendiente de traducción *** Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form data. Attackers can upload PHP files with arbitrary content to the upload directory and execute them on the server for remote code execution.

*** Pendiente de traducción *** eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database credentials, usernames, and version information.

*** Pendiente de traducción *** eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters to extract sensitive database information including usernames, database names, and version details.

*** Pendiente de traducción *** A vulnerability was detected in TRENDnet TEW-432BRP 3.10B20. The affected element is the function formSetFirewallRule of the file /goform/formSetFirewallRule. The manipulation of the argument firewall_name results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

*** Pendiente de traducción *** A security vulnerability has been detected in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSetMACFilter of the file /goform/formSetMACFilter. The manipulation of the argument filter_name leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eventpoll: fix ep_remove struct eventpoll / struct file UAF<br /> <br /> ep_remove() (via ep_remove_file()) cleared file-&gt;f_ep under<br /> file-&gt;f_lock but then kept using @file inside the critical section<br /> (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).<br /> A concurrent __fput() taking the eventpoll_release() fastpath in<br /> that window observed the transient NULL, skipped<br /> eventpoll_release_file() and ran to f_op-&gt;release / file_free().<br /> <br /> For the epoll-watches-epoll case, f_op-&gt;release is<br /> ep_eventpoll_release() -&gt; ep_clear_and_put() -&gt; ep_free(), which<br /> kfree()s the watched struct eventpoll. Its embedded -&gt;refs<br /> hlist_head is exactly where epi-&gt;fllink.pprev points, so the<br /> subsequent hlist_del_rcu()&amp;#39;s "*pprev = next" scribbles into freed<br /> kmalloc-192 memory.<br /> <br /> In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot<br /> backing @file could be recycled by alloc_empty_file() --<br /> reinitializing f_lock and f_ep -- while ep_remove() is still<br /> nominally inside that lock. The upshot is an attacker-controllable<br /> kmem_cache_free() against the wrong slab cache.<br /> <br /> Pin @file via epi_fget() at the top of ep_remove() and gate the<br /> critical section on the pin succeeding. With the pin held @file<br /> cannot reach refcount zero, which holds __fput() off and<br /> transitively keeps the watched struct eventpoll alive across the<br /> hlist_del_rcu() and the f_lock use, closing both UAFs.<br /> <br /> If the pin fails @file has already reached refcount zero and its<br /> __fput() is in flight. Because we bailed before clearing f_ep,<br /> that path takes the eventpoll_release() slow path into<br /> eventpoll_release_file() and blocks on ep-&gt;mtx until the waiter<br /> side&amp;#39;s ep_clear_and_put() drops it. The bailed epi&amp;#39;s share of<br /> ep-&gt;refcount stays intact, so the trailing ep_refcount_dec_and_test()<br /> in ep_clear_and_put() cannot free the eventpoll out from under<br /> eventpoll_release_file(); the orphaned epi is then cleaned up<br /> there.<br /> <br /> A successful pin also proves we are not racing<br /> eventpoll_release_file() on this epi, so drop the now-redundant<br /> re-check of epi-&gt;dying under f_lock. The cheap lockless<br /> READ_ONCE(epi-&gt;dying) fast-path bailout stays.

*** Pendiente de traducción *** A weakness has been identified in Open5GS up to 2.7.7. This issue affects the function ogs_pool_id_calloc in the library /lib/sbi/nghttp2-server.c. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. It is best practice to apply a patch to resolve this issue.

*** Pendiente de traducción *** A security flaw has been discovered in Open5GS up to 2.7.7. This vulnerability affects the function ogs_sbi_xact_add in the library /lib/core/ogs-timer.c of the component ue-authentications Endpoint. Performing a manipulation results in denial of service. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Applying a patch is the recommended action to fix this issue.

*** Pendiente de traducción *** A vulnerability was determined in Open5GS up to 2.7.7. Affected by this issue is the function handle_scp_info in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. To fix this issue, it is recommended to deploy a patch.

*** Pendiente de traducción *** A vulnerability was identified in Open5GS up to 2.7.7. This affects an unknown part in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit is publicly available and might be used. It is advisable to implement a patch to correct this issue.