Vulnerabilidades

*** Pendiente de traducción *** Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse.This issue affects SoliClub: before 5.3.7.

*** Pendiente de traducción *** Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: ucsi: fix use-after-free caused by uec-&gt;work<br /> <br /> The delayed work uec-&gt;work is scheduled in gaokun_ucsi_probe()<br /> but never properly canceled in gaokun_ucsi_remove(). This creates<br /> use-after-free scenarios where the ucsi and gaokun_ucsi structure<br /> are freed after ucsi_destroy() completes execution, while the<br /> gaokun_ucsi_register_worker() might be either currently executing<br /> or still pending in the work queue. The already-freed gaokun_ucsi<br /> or ucsi structure may then be accessed.<br /> <br /> Furthermore, the race window is 3 seconds, which is sufficiently<br /> long to make this bug easily reproducible. The following is the<br /> trace captured by KASAN:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630<br /> Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0<br /> ...<br /> Call trace:<br /> show_stack+0x18/0x24 (C)<br /> dump_stack_lvl+0x78/0x90<br /> print_report+0x114/0x580<br /> kasan_report+0xa4/0xf0<br /> __asan_report_store8_noabort+0x20/0x2c<br /> __run_timers+0x5ec/0x630<br /> run_timer_softirq+0xe8/0x1cc<br /> handle_softirqs+0x294/0x720<br /> __do_softirq+0x14/0x20<br /> ____do_softirq+0x10/0x1c<br /> call_on_irq_stack+0x30/0x48<br /> do_softirq_own_stack+0x1c/0x28<br /> __irq_exit_rcu+0x27c/0x364<br /> irq_exit_rcu+0x10/0x1c<br /> el1_interrupt+0x40/0x60<br /> el1h_64_irq_handler+0x18/0x24<br /> el1h_64_irq+0x6c/0x70<br /> arch_local_irq_enable+0x4/0x8 (P)<br /> do_idle+0x334/0x458<br /> cpu_startup_entry+0x60/0x70<br /> rest_init+0x158/0x174<br /> start_kernel+0x2f8/0x394<br /> __primary_switched+0x8c/0x94<br /> <br /> Allocated by task 72 on cpu 0 at 27.510341s:<br /> kasan_save_stack+0x2c/0x54<br /> kasan_save_track+0x24/0x5c<br /> kasan_save_alloc_info+0x40/0x54<br /> __kasan_kmalloc+0xa0/0xb8<br /> __kmalloc_node_track_caller_noprof+0x1c0/0x588<br /> devm_kmalloc+0x7c/0x1c8<br /> gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8<br /> really_probe+0x17c/0x5b8<br /> __driver_probe_device+0x158/0x2c4<br /> driver_probe_device+0x10c/0x264<br /> __device_attach_driver+0x168/0x2d0<br /> bus_for_each_drv+0x100/0x188<br /> __device_attach+0x174/0x368<br /> device_initial_probe+0x14/0x20<br /> bus_probe_device+0x120/0x150<br /> device_add+0xb3c/0x10fc<br /> __auxiliary_device_add+0x88/0x130<br /> ...<br /> <br /> Freed by task 73 on cpu 1 at 28.910627s:<br /> kasan_save_stack+0x2c/0x54<br /> kasan_save_track+0x24/0x5c<br /> __kasan_save_free_info+0x4c/0x74<br /> __kasan_slab_free+0x60/0x8c<br /> kfree+0xd4/0x410<br /> devres_release_all+0x140/0x1f0<br /> device_unbind_cleanup+0x20/0x190<br /> device_release_driver_internal+0x344/0x460<br /> device_release_driver+0x18/0x24<br /> bus_remove_device+0x198/0x274<br /> device_del+0x310/0xa84<br /> ...<br /> <br /> The buggy address belongs to the object at ffff00000ec28c00<br /> which belongs to the cache kmalloc-512 of size 512<br /> The buggy address is located 200 bytes inside of<br /> freed 512-byte region<br /> The buggy address belongs to the physical page:<br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28<br /> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)<br /> page_type: f5(slab)<br /> raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000<br /> raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000<br /> head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000<br /> head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000<br /> head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff<br /> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt;ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ================================================================<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: imm: Fix use-after-free bug caused by unfinished delayed work<br /> <br /> The delayed work item &amp;#39;imm_tq&amp;#39; is initialized in imm_attach() and<br /> scheduled via imm_queuecommand() for processing SCSI commands. When the<br /> IMM parallel port SCSI host adapter is detached through imm_detach(),<br /> the imm_struct device instance is deallocated.<br /> <br /> However, the delayed work might still be pending or executing<br /> when imm_detach() is called, leading to use-after-free bugs<br /> when the work function imm_interrupt() accesses the already<br /> freed imm_struct memory.<br /> <br /> The race condition can occur as follows:<br /> <br /> CPU 0(detach thread) | CPU 1<br /> | imm_queuecommand()<br /> | imm_queuecommand_lck()<br /> imm_detach() | schedule_delayed_work()<br /> kfree(dev) //FREE | imm_interrupt()<br /> | dev = container_of(...) //USE<br /> dev-&gt; //USE<br /> <br /> Add disable_delayed_work_sync() in imm_detach() to guarantee proper<br /> cancellation of the delayed work item before imm_struct is deallocated.

*** Pendiente de traducción *** Missing Authorization vulnerability in Utarit Informatics Services Inc. SoliClub allows Privilege Abuse.This issue affects SoliClub: before 5.3.7.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop<br /> <br /> In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen<br /> and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes<br /> that the parent qdisc will enqueue the current packet. However, this<br /> assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent<br /> qdisc stops enqueuing current packet, leaving the tree qlen/backlog<br /> accounting inconsistent. This mismatch can lead to a NULL dereference<br /> (e.g., when the parent Qdisc is qfq_qdisc).<br /> <br /> This patch computes the qlen/backlog delta in a more robust way by<br /> observing the difference before and after the series of cake_drop()<br /> calls, and then compensates the qdisc tree accounting if cake_enqueue()<br /> returns NET_XMIT_CN.<br /> <br /> To ensure correct compensation when ACK thinning is enabled, a new<br /> variable is introduced to keep qlen unchanged.

*** Pendiente de traducción *** WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has been set.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

*** Pendiente de traducción *** In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly referencing the resource in question.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

*** Pendiente de traducción *** In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to factory settings.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

*** Pendiente de traducción *** In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

*** Pendiente de traducción *** In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

*** Pendiente de traducción *** There is a stack-based buffer overflow vulnerability in NI LabVIEW in LVResFile::FindRsrcListEntry() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions.