FreeRDP RDPEAR NDR array reader has a heap overflow due to missing bounds checking on element counts. Malicious RDP server can overwrite heap memory. PoC available. Fixed in 3.20.1.
Reflected XSS in WordPress List Site Contributors plugin up to version 1.1.8 allows unauthenteric attackers to inject malicious scripts through the 'alpha' parameter due to inadequate input sanitization. Successful exploitation requires social engineering to trick users into clicking malicious links, potentially compromising user sessions and site integrity. No patch is currently available for this vulnerability.
html2pdf.js versions prior to 0.14.0 fail to sanitize text input before inserting it into the DOM, enabling stored or reflected XSS attacks that compromise client-side data confidentiality and integrity. Attackers can inject malicious scripts that execute in users' browsers when the library processes untrusted text sources, and public exploit code is available. Update to version 0.14.0 or later to remediate this vulnerability.
FreeRDP versions prior to 3.20.1 contain a race condition between the RDPGFX virtual channel and SDL rendering threads that enables heap use-after-free when graphics are reset. Public exploit code exists for this vulnerability, allowing attackers to crash the application or potentially execute code in industrial control systems and other environments using vulnerable FreeRDP implementations. A patch is not currently available, leaving affected systems exposed until an update is released.
Outray versions prior to 0.1.5 lack database transaction locking in the subdomain creation API endpoint, allowing authenticated users to bypass rate limits and provision more subdomains than permitted by their service tier. Public exploit code exists for this vulnerability, which affects the quota enforcement mechanism for free plan users. Upgrade to version 0.1.5 or later to remediate.
FreeRDP Base64 decoder has a global buffer overflow on ARM builds due to implementation-defined char signedness. Fixed in 3.20.1.
FreeRDP URBDRC USB redirect client has OOB read when processing server-supplied interface descriptors without bounds checking. Fixed in 3.20.1.
FreeRDP smartcard SetAttrib heap OOB read when attribute length mismatches NDR buffer. Fixed in 3.20.1.
BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service [CVSS 5.5 MEDIUM]
In the Linux kernel, the following vulnerability has been resolved: fs: PM: Fix reverse check in filesystems_freeze_callback() The freeze_all_ptr check in filesystems_freeze_callback() introduced by commit a3f8f8662771 ("power: always freeze efivarfs") is reverse which quite confusingly causes all file systems to be frozen when filesystem_freeze_enabled is false.
In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939!
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. [CVSS 5.4 MEDIUM]
Ph7 Social Dating Builder versions up to 17.9.1 is affected by cross-site scripting (xss) (CVSS 5.4).
Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file. [CVSS 5.3 MEDIUM]
Denial of service in Wireshark 4.6.0-4.6.2 and 4.4.0-4.4.12 can be triggered through a malformed SOME/IP-SD protocol packet, causing the application to crash. Public exploit code exists for this vulnerability, and affected users should avoid opening untrusted packet captures until a patch is available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. [CVSS 4.8 MEDIUM]
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. [CVSS 5.4 MEDIUM]
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. [CVSS 5.4 MEDIUM]
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. [CVSS 5.4 MEDIUM]
HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service [CVSS 4.7 MEDIUM]
An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. [CVSS 6.8 MEDIUM]
Arbitrary command execution in the VSCode Spring CLI extension allows local users with interactive access to execute arbitrary commands on their machine through unsanitized input. An attacker with local access could exploit this to compromise the affected system, though no patch is currently available.
Multi-thread race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.8 MEDIUM]
Thinkplus Fu100 Firmware versions up to - is affected by cleartext transmission of sensitive information (CVSS 5.5).
A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. [CVSS 6.5 MEDIUM]
Prtg Network Monitor versions up to 25.4.114 is affected by uncontrolled resource consumption (CVSS 6.5).
Gotham Block Extra Light (WordPress plugin) versions up to 1.5.0 is affected by path traversal (CVSS 6.5).
Packetbeat's MongoDB protocol parser fails to properly validate array indices, enabling attackers to trigger buffer overflows via malformed network packets sent to monitored interfaces. Organizations running Packetbeat with MongoDB protocol parsing enabled could experience denial of service conditions when processing specially crafted traffic. No patch is currently available for this vulnerability.
Secure Boot bypass in iOS allows local privileged users to disable Secure Boot protections even when explicitly configured as enabled in BIOS, affecting systems with Secure Boot set to User Mode. An attacker with high-level system access and user interaction can circumvent boot-time security protections, potentially enabling unsigned code execution. No patch is currently available for this medium-severity vulnerability.
Stored XSS in the SearchWiz WordPress plugin through version 1.0.0 allows authenticated contributors and above to inject malicious scripts into post titles that execute when other users view search results. The vulnerability stems from improper output escaping using esc_attr() instead of esc_html() when rendering post titles in search functionality. No patch is currently available.
The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Data verification vulnerability in the HiView module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.2 MEDIUM]
Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 6.2 MEDIUM]
Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the tag parameter. [CVSS 6.1 MEDIUM]
A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. [CVSS 6.1 MEDIUM]
Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 6.1 MEDIUM]
Incomplete validation of passkey requests in AliasVault Android versions 0.24.0-0.25.2 allows a locally installed malicious application to obtain passkey responses for unauthorized websites by bypassing checks on calling app identity, origin, and RP ID. An attacker with local access could leverage this to gain unauthorized access to user accounts on targeted services. The vulnerability has been patched in version 0.25.3.
Undici versions up to 7.18.0 is affected by allocation of resources without limits or throttling (CVSS 5.9).
Harmonyos versions up to 6.0.0 is affected by permissions, privileges, and access controls (CVSS 5.7).
Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 5.7 MEDIUM]
In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations.
{RT,(full)} [ 13.062353] Hardware name: , BIOS [ 13.062382] Workqueue: mld mld_ifc_work [ 13.062469] Call trace: [ 13.062494] show_stack+0x24/0x40 (C) [ 13.062602] __dump_stack+0x28/0x48 [ 13.062710] dump_stack_lvl+0x7c/0xb0 [ 13.062818] dump_stack+0x18/0x34 [ 13.062926] process_scheduled_works+0x294/0x450 [ 13.063043] worker_thread+0x260/0x3d8 [ 13.063124] kthread+0x1c4/0x228 [ 13.063235] ret_from_fork+0x10/0x20 This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon ..
In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events.
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL.
In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1].
In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register.
In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly.
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero.