In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free().
In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds.
In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree.
Thinkplus Fu100 Firmware versions up to - is affected by authentication bypass by spoofing (CVSS 7.8).
The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]
The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]
The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]
Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function. [CVSS 7.8 HIGH]
The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. [CVSS 7.7 HIGH]
Outray versions up to 0.1.5 contains a vulnerability that allows attackers to exceed the set number of active tunnels in their subscription plan (CVSS 3.7).
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabling unauthenticated attackers to retrieve sensitive screenshots by predicting their filenames. This improper access control flaw affects all users whose screenshot content should be restricted. A patch is available in version 5.15.2 and later.
Bluvoyix stores user passwords in plaintext and exposes them through unauthenticated APIs, allowing remote attackers to retrieve credentials without authentication and gain administrative access to customer accounts. This high-severity vulnerability affects all users of the platform and could lead to complete compromise of customer data, with no patch currently available.
A local user can trigger Harmony SASE Windows client to write or delete files outside the intended certificate working directory. [CVSS 7.5 HIGH]
The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. [CVSS 7.2 HIGH]
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. [CVSS 7.2 HIGH]
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. [CVSS 7.2 HIGH]
Shopware versions 6.7.0.0 through 6.7.6.0 contain a code injection vulnerability in the map() function override that fails to validate PHP Closures against an allowlist, enabling authenticated attackers with high privileges to execute arbitrary code. The vulnerability reintroduces a regression from CVE-2023-2017 and affects the open commerce platform's core functionality. A patch is available in version 6.7.6.1.
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. [CVSS 7.2 HIGH]
In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays.
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value.
In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID).
The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. [CVSS 7.1 HIGH]
An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. [CVSS 6.8 MEDIUM]
Arbitrary command execution in the VSCode Spring CLI extension allows local users with interactive access to execute arbitrary commands on their machine through unsanitized input. An attacker with local access could exploit this to compromise the affected system, though no patch is currently available.
Multi-thread race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.8 MEDIUM]
Thinkplus Fu100 Firmware versions up to - is affected by cleartext transmission of sensitive information (CVSS 5.5).
A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. [CVSS 6.5 MEDIUM]
Prtg Network Monitor versions up to 25.4.114 is affected by uncontrolled resource consumption (CVSS 6.5).
Gotham Block Extra Light (WordPress plugin) versions up to 1.5.0 is affected by path traversal (CVSS 6.5).
Packetbeat's MongoDB protocol parser fails to properly validate array indices, enabling attackers to trigger buffer overflows via malformed network packets sent to monitored interfaces. Organizations running Packetbeat with MongoDB protocol parsing enabled could experience denial of service conditions when processing specially crafted traffic. No patch is currently available for this vulnerability.
Secure Boot bypass in iOS allows local privileged users to disable Secure Boot protections even when explicitly configured as enabled in BIOS, affecting systems with Secure Boot set to User Mode. An attacker with high-level system access and user interaction can circumvent boot-time security protections, potentially enabling unsigned code execution. No patch is currently available for this medium-severity vulnerability.
Stored XSS in the SearchWiz WordPress plugin through version 1.0.0 allows authenticated contributors and above to inject malicious scripts into post titles that execute when other users view search results. The vulnerability stems from improper output escaping using esc_attr() instead of esc_html() when rendering post titles in search functionality. No patch is currently available.
The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Data verification vulnerability in the HiView module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.2 MEDIUM]
Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 6.2 MEDIUM]
Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the tag parameter. [CVSS 6.1 MEDIUM]
A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. [CVSS 6.1 MEDIUM]
Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 6.1 MEDIUM]
Incomplete validation of passkey requests in AliasVault Android versions 0.24.0-0.25.2 allows a locally installed malicious application to obtain passkey responses for unauthorized websites by bypassing checks on calling app identity, origin, and RP ID. An attacker with local access could leverage this to gain unauthorized access to user accounts on targeted services. The vulnerability has been patched in version 0.25.3.
Undici versions up to 7.18.0 is affected by allocation of resources without limits or throttling (CVSS 5.9).
Harmonyos versions up to 6.0.0 is affected by permissions, privileges, and access controls (CVSS 5.7).
Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 5.7 MEDIUM]
In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations.