Vulnerabilidades

*** Pendiente de traducción *** A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files.

*** Pendiente de traducción *** A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information.

*** Pendiente de traducción *** A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files.

*** Pendiente de traducción *** A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from remote. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument data[name] leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.

*** Pendiente de traducción *** Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.

*** Pendiente de traducción *** Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.

Se ha descubierto una vulnerabilidad de seguridad en dayrui XunRuiCMS hasta la versión 4.7.1. Afecta a una función desconocida del archivo /admind45f74adbd95.php?c=email&m=add del componente Email Setting Handler. Realizar una manipulación resulta en falsificación de petición del lado del servidor. La explotación remota del ataque es posible. El exploit ha sido publicado y puede ser explotado. Se contactó con el proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera.

Se ha identificado una vulnerabilidad en dayrui XunRuiCMS hasta la versión 4.7.1. Afectada por esta vulnerabilidad es una funcionalidad desconocida del archivo /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0 del componente 'Add Display Name Field'. La manipulación del argumento data[name] puede llevar a cross-site scripting. El ataque puede ejecutarse de forma remota. El exploit se ha puesto a disposición del público y podría ser explotado. El proveedor fue contactado con antelación sobre esta divulgación, pero no respondió de ninguna manera.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: Initialise scc_index in unix_add_edge().<br /> <br /> Quang Le reported that the AF_UNIX GC could garbage-collect a<br /> receive queue of an alive in-flight socket, with a nice repro.<br /> <br /> The repro consists of three stages.<br /> <br /> 1)<br /> 1-a. Create a single cyclic reference with many sockets<br /> 1-b. close() all sockets<br /> 1-c. Trigger GC<br /> <br /> 2)<br /> 2-a. Pass sk-A to an embryo sk-B<br /> 2-b. Pass sk-X to sk-X<br /> 2-c. Trigger GC<br /> <br /> 3)<br /> 3-a. accept() the embryo sk-B<br /> 3-b. Pass sk-B to sk-C<br /> 3-c. close() the in-flight sk-A<br /> 3-d. Trigger GC<br /> <br /> As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,<br /> and unix_walk_scc() groups them into two different SCCs:<br /> <br /> unix_sk(sk-A)-&gt;vertex-&gt;scc_index = 2 (UNIX_VERTEX_INDEX_START)<br /> unix_sk(sk-X)-&gt;vertex-&gt;scc_index = 3<br /> <br /> Once GC completes, unix_graph_grouped is set to true.<br /> Also, unix_graph_maybe_cyclic is set to true due to sk-X&amp;#39;s<br /> cyclic self-reference, which makes close() trigger GC.<br /> <br /> At 3-b, unix_add_edge() allocates unix_sk(sk-B)-&gt;vertex and<br /> links it to unix_unvisited_vertices.<br /> <br /> unix_update_graph() is called at 3-a. and 3-b., but neither<br /> unix_graph_grouped nor unix_graph_maybe_cyclic is changed<br /> because both sk-B&amp;#39;s listener and sk-C are not in-flight.<br /> <br /> 3-c decrements sk-A&amp;#39;s file refcnt to 1.<br /> <br /> Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast()<br /> is finally called and iterates 3 sockets sk-A, sk-B, and sk-X:<br /> <br /> sk-A -&gt; sk-B (-&gt; sk-C)<br /> sk-X -&gt; sk-X<br /> <br /> This is totally fine. All of them are not yet close()d and<br /> should be grouped into different SCCs.<br /> <br /> However, unix_vertex_dead() misjudges that sk-A and sk-B are<br /> in the same SCC and sk-A is dead.<br /> <br /> unix_sk(sk-A)-&gt;scc_index == unix_sk(sk-B)-&gt;scc_index vertex-&gt;out_degree<br /> ^-- 1 in-flight count for sk-B<br /> -&gt; sk-A is dead !?<br /> <br /> The problem is that unix_add_edge() does not initialise scc_index.<br /> <br /> Stage 1) is used for heap spraying, making a newly allocated<br /> vertex have vertex-&gt;scc_index == 2 (UNIX_VERTEX_INDEX_START)<br /> set by unix_walk_scc() at 1-c.<br /> <br /> Let&amp;#39;s track the max SCC index from the previous unix_walk_scc()<br /> call and assign the max + 1 to a new vertex&amp;#39;s scc_index.<br /> <br /> This way, we can continue to avoid Tarjan&amp;#39;s algorithm while<br /> preventing misjudgments.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: delete x-&gt;tunnel as we delete x<br /> <br /> The ipcomp fallback tunnels currently get deleted (from the various<br /> lists and hashtables) as the last user state that needed that fallback<br /> is destroyed (not deleted). If a reference to that user state still<br /> exists, the fallback state will remain on the hashtables/lists,<br /> triggering the WARN in xfrm_state_fini. Because of those remaining<br /> references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state<br /> synchronously on net exit path") is not complete.<br /> <br /> We recently fixed one such situation in TCP due to defered freeing of<br /> skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we<br /> currently drop dst")). This can also happen due to IP reassembly: skbs<br /> with a secpath remain on the reassembly queue until netns<br /> destruction. If we can&amp;#39;t guarantee that the queues are flushed by the<br /> time xfrm_state_fini runs, there may still be references to a (user)<br /> xfrm_state, preventing the timely deletion of the corresponding<br /> fallback state.<br /> <br /> Instead of chasing each instance of skbs holding a secpath one by one,<br /> this patch fixes the issue directly within xfrm, by deleting the<br /> fallback state as soon as the last user state depending on it has been<br /> deleted. Destruction will still happen when the final reference is<br /> dropped.<br /> <br /> A separate lockdep class for the fallback state is required since<br /> we&amp;#39;re going to lock x-&gt;tunnel while x is locked.