Blind SQL injection in Pimcore's Admin Search Find API allows authenticated attackers to extract database information through inferential techniques, bypassing the incomplete mitigation from a prior patch that only removed comment-based attacks. The vulnerability affects Pimcore versions prior to 12.3.1 and 11.5.14, with public exploit code available. Patched versions are available and should be deployed immediately.
SumatraPDF 3.5.2 and earlier on Windows contains an untrusted search path vulnerability in the Advanced Options feature that allows arbitrary code execution through a malicious notepad.exe placed in the application directory. An attacker with local access can exploit this when a user triggers the Advanced Options setting, as the application fails to specify an absolute path when launching notepad.exe. Public exploit code exists for this vulnerability, and a patch is available.
Glibc versions 2.30 through 2.42 contain an integer overflow in the memalign function family that allows attackers with control over both size and alignment parameters to trigger heap corruption. Public exploit code exists for this vulnerability, which requires carefully crafted inputs with alignment values between 2^62+1 and 2^63 paired with sizes near PTRDIFF_MAX. Local attackers exploiting this flaw could achieve code execution or denial of service on affected systems.
Heap use-after-free in FreeRDP versions before 3.20.1 stems from unsynchronized access to serial channel thread tracking structures, allowing remote attackers to trigger memory corruption and achieve code execution. The vulnerability affects systems using vulnerable FreeRDP versions for remote desktop connections and has public exploit code available. No patch is currently available, requiring users to upgrade to version 3.20.1 or later.
Rocket.Chat versions prior to 6.12.0 expose the OAuth applications API endpoint to any authenticated user, allowing disclosure of sensitive credentials including client IDs and secrets regardless of user role or permissions. An attacker with valid credentials can enumerate OAuth applications and extract their secrets by knowing application IDs, potentially compromising integrated third-party applications. Public exploit code exists for this vulnerability and no patch is currently available.
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serverName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serviceName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
The Google Gemini connector in AI/ML products allows authenticated users with connector management privileges to read arbitrary files through unvalidated file path and network request parameters in credential configurations. An attacker with sufficient authentication access can craft malicious JSON payloads to trigger server-side requests and disclose sensitive files from the affected system. This vulnerability requires valid credentials and administrative privileges but presents a high risk of confidential data exposure.
Multi-thread race condition vulnerability in the video framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.4 HIGH]
Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.4 HIGH]
Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.0 HIGH]
Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.0 HIGH]
Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.0 HIGH]
In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. [CVSS 7.9 HIGH]
In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size.
In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length.
NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free().
In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds.
In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree.
Thinkplus Fu100 Firmware versions up to - is affected by authentication bypass by spoofing (CVSS 7.8).
The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]
The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]
The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]
Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function. [CVSS 7.8 HIGH]
The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. [CVSS 7.7 HIGH]
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabling unauthenticated attackers to retrieve sensitive screenshots by predicting their filenames. This improper access control flaw affects all users whose screenshot content should be restricted. A patch is available in version 5.15.2 and later.
Bluvoyix stores user passwords in plaintext and exposes them through unauthenticated APIs, allowing remote attackers to retrieve credentials without authentication and gain administrative access to customer accounts. This high-severity vulnerability affects all users of the platform and could lead to complete compromise of customer data, with no patch currently available.
A local user can trigger Harmony SASE Windows client to write or delete files outside the intended certificate working directory. [CVSS 7.5 HIGH]
The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. [CVSS 7.2 HIGH]
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. [CVSS 7.2 HIGH]
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. [CVSS 7.2 HIGH]
Shopware versions 6.7.0.0 through 6.7.6.0 contain a code injection vulnerability in the map() function override that fails to validate PHP Closures against an allowlist, enabling authenticated attackers with high privileges to execute arbitrary code. The vulnerability reintroduces a regression from CVE-2023-2017 and affects the open commerce platform's core functionality. A patch is available in version 6.7.6.1.
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. [CVSS 7.2 HIGH]
In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays.
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value.
In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID).
The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. [CVSS 7.1 HIGH]