Use-after-free vulnerability in Mozilla Firefox 142 and 143 enables compromised renderer processes to trigger memory corruption in the GPU or browser process via malicious WebGPU IPC calls, potentially achieving sandbox escape. Affecting Firefox versions 142.0 through 144.0.1, this CWE-416 flaw carries CVSS 9.8 despite low real-world exploitation probability (EPSS 0.06%, 18th percentile). No public exploit identified at time of analysis. Patched in Firefox 144.0.2 released January 2025.
A security flaw has been discovered in code-projects Simple Food Ordering System 1.0. This issue affects some unknown processing of the file /addproduct.php. Performing manipulation of the argument photo results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.
A security vulnerability has been detected in Campcodes Retro Basketball Shoes Online Store 1.0. This issue affects some unknown processing of the file /admin/admin_football.php. The manipulation of the argument pid leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. This vulnerability affects unknown code of the file /admin/admin_product.ph. Executing a manipulation of the argument pid can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
A security flaw has been discovered in Campcodes Retro Basketball Shoes Online Store 1.0. This affects an unknown part of the file /admin/admin_feature.php. Performing a manipulation of the argument pid results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
A vulnerability was identified in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_index.php. Such manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.
Remote code execution in alexusmai laravel-file-manager (versions 3.3.1 and earlier) lets an authenticated user with file-manager access run arbitrary PHP on the server by uploading a PHP payload disguised with a .png extension, then abusing the rename API to give it a .php extension so it executes when requested via a public URL. The flaw stems from client-side-only upload validation combined with an unrestricted rename operation and web-accessible storage. No CISA KEV listing; EPSS is a modest 0.55% (42nd percentile), but a dedicated GitHub repository referencing this CVE indicates public proof-of-concept material likely exists.
Denial of service in Prevx 3.0.5.220 lets a local attacker terminate protected processes by sending IOCTL code 0x22E044 to the pxscan.sys kernel driver, which force-kills every process enumerated under the HKLM\System\CurrentControlSet\Services\pxscan\Files registry key. A GitHub repository named for the CVE indicates publicly available exploit code exists, though the vulnerability is not in CISA KEV and carries a low EPSS score of 0.34% (26th percentile). Prevx is a long-retired anti-malware product (absorbed into Webroot circa 2011), so real-world exposure is minimal.
Information disclosure in BESSystem (Baolande) BES Application Server through version 9.5.x lets remote unauthenticated attackers retrieve sensitive data by abusing the "pre-resource" option in the bes-web.xml deployment descriptor. The flaw exposes protected resources or configuration content over the network with no authentication (CVSS 7.5, C:H). No public exploit identified at time of analysis, though a third-party gist referencing the issue is linked in NVD; EPSS is low at 0.34% (26th percentile).
Link following vulnerability in AntiDupl.NET.WinForms.exe (versions through 2.3.12) allows local authenticated users to manipulate file operations during duplicate image deletion, potentially achieving unauthorized file access or modification with elevated integrity. Proof-of-concept exploit code exists (CVSS E:P). The vendor (ermig1979) was notified but has not responded, leaving users without an official patch.
MaxSite CMS up to version 109 contains an improper access control vulnerability in the file editor plugin that allows authenticated remote attackers to upload arbitrary files by manipulating the file_path and content parameters in save-file-ajax.php. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, leaving affected installations unpatched.
MaxSite CMS up to version 109 contains an unrestricted file upload vulnerability in the auto_post plugin's upload handler that allows authenticated remote attackers to bypass file upload restrictions by manipulating HTTP headers (X-Requested-FileName and X-Requested-FileUpDir). Public exploit code is available, though EPSS score (0.05%) suggests limited real-world exploitation despite the publicly disclosed proof-of-concept.
Stored cross-site scripting (XSS) in code-projects E-Commerce Website 1.0 allows remote attackers to inject malicious scripts via the supp_name or supp_address parameters in /pages/supplier_update.php. Exploitation requires user interaction (clicking a malicious link) but no authentication. Publicly available exploit code exists; real-world exploitation risk is low (EPSS 0.04%, CVSS 2.1) due to limited scope and required user interaction, but the vulnerability is disclosed and weaponizable.
Stored cross-site scripting (XSS) vulnerability in SourceCodester Student Grades Management System 1.0 allows authenticated administrators with high privileges to inject malicious scripts via the delete_user function in /admin.php, which execute in the context of other users' browsers when they interact with affected content. The vulnerability requires user interaction and administrative privileges to exploit, resulting in low integrity impact with a CVSS score of 1.9. Publicly available exploit code exists, though the very low EPSS score (0.05%, 14th percentile) suggests limited real-world exploitation despite POC availability.
A flaw has been found in Serdar Bayram Ghost Hot Spot up to 20251014. The affected element is an unknown function of the file /Auth.php of the component Login. This manipulation causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster. TrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster Additionally users can access all `persistentvolumeclaims` and `lmevaljobs`
Yonyou U8 Cloud versions up to 5.1sp allow authenticated remote attackers to bypass file upload restrictions via manipulation of the ts and sign parameters in the /service/NCloudGatewayServlet endpoint, enabling unrestricted file uploads. The vulnerability affects the Request Header Handler component and has been publicly disclosed with exploit code available, though the vendor has not responded to early notification.
In the Linux kernel, the following vulnerability has been resolved: nbd: restrict sockets to TCP and UDP Recently, syzbot started to abuse NBD with all kinds of sockets. Commit cf1b2326b734 ("nbd: verify socket is supported during setup") made sure the socket supported a shutdown() method. Explicitely accept TCP and UNIX stream sockets.
In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.
In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: <TASK> kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Before commit c79a39dc8d06 ("pps: Fix a use-after-free"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.