CVE Catalog

An improper authorization vulnerability has been identified in the DevaslanPHP project management application, specifically in versions up to 2.0.0-beta1. The issue resides in the KanbanScrumHelper::recordUpdated function within the Ticket Handler component. This vulnerability allows for cross-project ticket status manipulation by bypassing ownership and project membership checks. The flaw can be exploited remotely via the Livewire wire protocol, enabling unauthorized users to alter the status of any ticket.

An authorization bypass vulnerability has been identified in the DevaslanPHP project management application, specifically in versions up to 2.0.0-beta1. The issue resides within the Livewire component, in the 'editComment' and 'doDeleteComment' methods of the 'ViewTicket' resource page. This vulnerability allows remote attackers to manipulate comment IDs and bypass authorization checks, as the methods can be called directly without proper server-side validation. While the UI restricts access to certain users, this safeguard can be easily circumvented.

A NULL pointer dereference vulnerability has been identified in lwext4 version 1.0.0, specifically in the 'ext4_dir_en_get_name_len' function within 'include/ext4_dir.h'. This vulnerability allows attackers to cause a denial-of-service condition by providing a specially crafted EXT4 filesystem image with malformed directory entries. The issue arises during directory iteration, where the code fails to properly validate the directory entry pointer before accessing the 'name_len' field, leading to a segmentation fault.

A vulnerability in the AMD Secure Processor (ASP) has been identified, stemming from insufficient granularity of access control. This flaw may enable an attacker with an untrusted user space application to map sensitive System Management Network (SMN) apertures, potentially leading to unauthorized privilege escalation. The issue affects several AMD Ryzen and Ryzen Embedded series processors.

A vulnerability allowing improper access control has been identified in Ivanti Neurons for ITSM, both in cloud and on-premises versions. This vulnerability enables a remote authenticated attacker to gain administrative access. It arises from inadequate access control measures, allowing unauthorized elevation of privileges.

A remote code execution vulnerability has been identified in IBM WebSphere Application Server versions 9.0 and 8.5. This issue arises from improper validation of user-supplied data during deserialization in the SAML Web Single Sign-On component. Exploitation of this vulnerability requires a crafted HTTP request that, when combined with a suitable gadget chain, could lead to unauthorized code execution on the server.

A remote code execution vulnerability exists in IBM WebSphere Application Server versions 9.0 and 8.5. This issue arises from the deserialization of untrusted data in JAX-WS endpoints that use WS-Security, potentially allowing an attacker to execute arbitrary code on the server.

A remote code execution vulnerability has been identified in IBM WebSphere Application Server versions 9.0 and 8.5. This vulnerability arises from a bypass of security controls, allowing unauthorized execution of code on the server.

An identity spoofing vulnerability has been identified in IBM WebSphere Application Server versions 9.0 and 8.5. This vulnerability allows for authentication bypass by spoofing, potentially leading to unauthorized actions or access.

A remote code execution vulnerability exists in the IBM i Access Client Solutions (ACS) within the IBM i Access Family, specifically in versions 1.1.5.0 through 1.1.9.12. The vulnerability arises when ACS is configured to accept requests from IBM i Navigator.

A remote code execution vulnerability has been identified in AI Tensor Engine for ROCm (AITER) versions through 0.1.14. The issue arises in the MessageQueue.recv() function within shm_broadcast.py, where the application deserializes untrusted data from a ZMQ SUB socket without authentication or validation. This vulnerability allows remote attackers to execute arbitrary code by sending a malicious pickle payload. Exploitation requires access to the writer's XPUB endpoint on the cluster network or the ability to supply a forged Handle with an attacker-controlled remote_subscribe_addr, targeting all remote reader workers simultaneously.

A remote code execution vulnerability has been identified in Microsoft Office SharePoint. This issue arises from the deserialization of untrusted data, allowing an authorized attacker to execute arbitrary code over the network. The vulnerability affects multiple SharePoint Server versions, including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

A vulnerability in Nextcloud Server versions 31.0.0 prior to 31.0.12 and 32.0.0 prior to 32.0.3, as well as in Nextcloud Enterprise Server versions 21.0.0 prior to 21.0.9.20, 22.0.0, 23.0.0, 24.0.0, 25.0.0, 26.0.0, 27.0.0, 28.0.0, 29.0.0, 30.0.0, 31.0.0, and 32.0.0, allows authenticated users with access to any file comment to read the content of all comments. This issue arises from a missing check of a relation, which could be exploited by users to access comments they should not be able to.

A null pointer dereference vulnerability has been identified in Thor Vector Graphics (ThorVG) versions prior to 1.0.5. The issue arises in the SvgLoader component, specifically within the run() function. This vulnerability allows any caller to pass untrusted SVG data to the Picture::load() method, leading to a process crash. The vulnerability can be exploited with a minimal 6-byte payload, causing a segmentation fault by dereferencing a null pointer.

A path traversal vulnerability has been identified in CloakBrowser versions through 0.3.27. The issue arises in the cloakserve CDP multiplexer, which uses the user-supplied fingerprint query parameter as a filesystem path component for creating Chrome profile directories. An unauthenticated attacker with access to the cloakserve port can inject crafted fingerprint values containing path traversal sequences. This manipulation can redirect the user_data_dir outside the designated data_dir. When the Chrome process fails to start or is terminated, the shutil.rmtree() function deletes the traversed path, causing arbitrary directory deletion. Additionally, cloakserve is bound to 0.0.0.0 by default, exposing it to the network.

A SQL injection vulnerability has been identified in the Nextcloud Tables app, affecting versions 0.9.0 prior to 0.9.7 and 1.0.0 prior to 1.0.2. The issue arises from a lack of proper input sanitization, which allows users with access to the Tables app to manipulate the ORDER BY statement of a query. This exploitation is limited to extracting a small amount of information per request or causing a delay in database response. The vulnerability has been patched in versions 0.9.7 and 1.0.2.

A vulnerability exists in Nextcloud Server versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, as well as in Nextcloud Enterprise Server versions 29.0.0 through 29.0.16.16, 30.0.0 through 30.0.17.9, 31.0.0 through 31.0.14.5, 32.0.0 prior to 32.0.9, and 33.0.0 prior to 33.0.3. The issue arises from a pre-two-factor authentication session cookie, which can be reused as a Bearer token to authenticate against DAV endpoints. This reuse grants read/write access while bypassing mandatory two-factor authentication requirements.

A vulnerability allowing authentication bypass has been identified in Nextcloud Server versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, as well as in Nextcloud Enterprise Server versions 29.0.0 through 29.0.16.15, 30.0.0 through 30.0.17.8, 31.0.0 through 31.0.14.4, 32.0.0 prior to 32.0.9, and 33.0.0 prior to 33.0.3. This vulnerability allows attackers who know a user's password to bypass two-factor authentication (2FA). When a user logs in with valid credentials on a 2FA-enabled account, a temporary session token is created before the second factor is challenged. This token can be extracted and reused via HTTP Basic Authentication to access protected endpoints without authorization.

A stored SQL injection vulnerability has been identified in the Nextcloud Tables app, affecting versions 0.7.0 prior to 0.7.7, 0.8.0 prior to 0.8.10, 0.9.0 prior to 0.9.8, and 1.0.0 prior to 1.0.4. This vulnerability allows authenticated attackers with access to the Tables app to execute arbitrary SQL queries, initially limited to 20 bytes. However, with carefully crafted input, it is possible to bypass this length restriction. Exploitation of this vulnerability could lead to unauthorized data extraction or modification within the database.

A vulnerability in the Nextcloud Tables app, affecting versions 0.8.0 prior to 1.0.4, allows users with read-only permissions to access view filter criteria. This issue arises from inadequate data masking in the ViewService, leading to unintended exposure of metadata.

A vulnerability in the Nextcloud Forms application, affecting versions 4.3.0 through prior to 5.2.7, allows removed collaborators to retain unauthorized read access to respondent files uploaded for forms where they previously had access to results. This issue arises because the file shares are not properly revoked when a collaborator is removed, leaving a gap in file access control.

A prototype pollution vulnerability exists in the parse-nested-form-data module, specifically in versions prior to 1.0.1. The issue arises because the parseFormData() function does not properly filter reserved property keys in FormData field names. This oversight allows an attacker to manipulate the Object.prototype by crafting specific field names, leading to unintended consequences in the application's prototype chain. The vulnerability can be exploited by sending FormData with names that include '__proto__', either as a top-level key or nested within an array.

A data protection vulnerability exists in the Nextcloud Calendar app, specifically in versions 5.5.13 prior to 5.5.17 and 6.2.0 prior to 6.2.3. The issue allows authenticated users to enumerate all users on the same Nextcloud instance through the calendar's attendee suggestion feature. This endpoint bypasses normal sharing restrictions, exposing user information, including email addresses, from all groups within the instance.

A vulnerability exists in Nextcloud versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, allowing the automatic creation of public links for external members when files or folders are shared with a Nextcloud Team. External members, added via email and without a Nextcloud account, receive these links through email, granting them the same permissions as the Team's access. The links are not visible to the folder owner, who cannot revoke them through the normal sharing interface. This oversight enables unauthorized access and manipulation of shared data by anyone who intercepts or receives the link.

A vulnerability exists in the Nextcloud User OIDC app, specifically in versions 1.3.6 prior to 8.4.0, as well as 5.0.3, 6.1.0, and 6.3.0. The issue arises from an improper check in the LdapService, which allowed deleted LDAP users to still authenticate with the user OIDC app. This vulnerability has been patched in version 8.4.0.

A vulnerability exists in the Nextcloud Server Files Lock app, specifically in versions 32.0.0 prior to 32.0.2 and 33.0.0 prior to 33.0.1. The issue arises because the app failed to properly validate file ownership when handling WebDAV lock and unlock requests. As a result, an authenticated user could manipulate files belonging to other users by targeting their absolute WebDAV paths. Furthermore, the vulnerability allowed unauthorized users to access lock tokens through error responses, enabling them to remove token-based locks applied by other users' client applications.

A vulnerability exists in Nextcloud Server versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, as well as in Nextcloud Enterprise Server versions 27.0.0, 28.0.0, 29.0.0, 30.0.0, 31.0.0, 32.0.0, and 33.0.0. This vulnerability allows an authenticated attacker to access attachments from link shares by knowing the share token, thereby bypassing password protection and download restrictions. The issue affects any directly shared file, as the attacker only needs to know a document ID they own, along with the share token. For shared folders, the attacker must know or guess a document ID of a file within the folder, making exploitation more difficult. The vulnerability allows extraction of attachments but not the shared file or folder itself.

A vulnerability exists in Nextcloud Server versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, as well as in Nextcloud Enterprise Server versions 33.0.0 prior to 33.0.3 and several earlier versions. This vulnerability allows an authenticated user to exploit improper authorization controls in the calendar backend. By knowing another user's principal URL, an attacker could send a request to gain full access to that user's calendar, including the ability to view and modify calendar entries.

A path traversal vulnerability has been identified in Nextcloud Server versions 31.0.0 prior to 31.0.14 and 32.0.0 prior to 32.0.4. When the '{lang}' variable is used in the template directory configuration, non-admin users may exploit this issue to copy arbitrary files, depending on Unix permissions, into their own Nextcloud directory.

A vulnerability allowing open redirects has been identified in the Nextcloud User OIDC app, affecting versions 6.1.0 up to 8.2.2 prior to 8.2.2. This issue allows attackers to create links that redirect users to external websites when they log in using the affected OIDC implementation.

A vulnerability exists in the Nextcloud Approval app, affecting versions prior to 2.7.2. Authenticated users can determine if specific files are linked to particular approval workflows, allowing them to request approval for those files. This issue has been addressed in version 2.7.2.

A privilege escalation vulnerability has been identified in the Nextcloud Approval app, affecting versions prior to 2.7.2. This vulnerability allows users without sharing permissions to manipulate the system into sharing files with approvers, bypassing authorization and enabling the unauthorized distribution of restricted files.

A stack-based buffer overflow vulnerability has been identified in rrdcached, a component of rrdtool, versions through 1.8.0-20.el10. This vulnerability allows local attackers with access to a rrdcached socket to exploit the issue by sending oversized CREATE requests. The flaw can cause a denial-of-service by crashing the daemon or potentially lead to arbitrary code execution, thereby affecting the integrity and confidentiality of data.

A session cookie leakage vulnerability has been identified in CodexBar versions prior to 0.32.0. This vulnerability allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. When a provider-controlled redirect targets a cleartext HTTP endpoint within the same provider domain, attackers positioned on the network path can receive the unencrypted HTTP requests carrying the imported session cookies.

A path traversal vulnerability has been identified in F5-TTS versions through 1.1.20. This vulnerability resides within the finetune Gradio handlers, where unsanitized user-supplied project names are directly passed to 'os.path.join()'. The lack of validation allows unauthenticated attackers to manipulate the resulting path, potentially escaping the intended base directory. Exploitation involves supplying absolute path arguments to create arbitrary directories and write attacker-controlled JSON content to any filesystem location writable by the server process.

A stack-based buffer overflow vulnerability has been identified in microtar versions through 0.1.0. The issue arises in the raw_to_header() function within src/microtar.c, where strcpy() is used to copy non-null-terminated name and linkname fields from a TAR archive into a destination buffer. This flaw allows attackers to overwrite adjacent stack memory by crafting a TAR archive that exploits the lack of null termination in these fields. The vulnerability is triggered when the library processes the manipulated TAR archives using mtar_open(), mtar_find(), or mtar_read_header().

A vulnerability exists in all versions of Cloud Foundry Diego Release prior to v56.0.0, specifically within the SMB volume handling of the smb-volume-release component, all versions prior to v3.60.0. This vulnerability allows low-privileged Cloud Foundry space developers to bypass input validation on CIFS mount options, injecting arbitrary options that could lead to privilege escalation and security control bypass on multi-tenant Diego cells. The issue arises from the SMB mount-option validation logic, where crafted mount options can evade the intended allowlist, which is meant to separate harmless SMB configurations from risky root filesystem operations on shared infrastructure.

A denial-of-service vulnerability has been identified in Spring Cloud Function, where an unbounded cache for function definitions can lead to an out-of-memory error. This issue arises when an excessive number of functions are added to the Function Registry. The vulnerability affects multiple Spring Cloud Function versions, including 3.2.x prior to 3.2.16, 4.1.x prior to 4.1.10, 4.2.x prior to 4.2.6, 4.3.x prior to 4.3.3, and 5.0.x prior to 5.0.2, as well as older, unsupported versions.

A denial-of-service vulnerability has been identified in VMware Spring Cloud Function. Under certain conditions, infinite recursion in the routing layer can lead to out-of-memory errors. This issue affects Spring Cloud Function versions 3.2.x prior to 3.2.16, 4.1.x prior to 4.1.10, 4.2.x prior to 4.2.6, 4.3.x prior to 4.3.3, 5.0.x prior to 5.0.2, and older, unsupported versions.

A vulnerability in FlexRIC version 2.0.0 allows remote unauthenticated attackers to impersonate xApps by exploiting the unverified xapp_id field in E42 message payloads. The issue arises because the validation function only ensures that the xapp_id is within a designated range, without confirming its association with the sender's SCTP connection. This flaw can lead to misrouted responses, causing disruptions that may crash the targeted xApp, the near-RT RIC, or the iApp through inconsistencies in the red-black tree data structure.

An authorization bypass vulnerability has been identified in FlexRIC version 2.0.0, specifically within the iApp's xApp isolation mechanism. The issue arises in the equality function eq_xapp_ric_gen_id(), located in src/ric/iApp/xapp_ric_id.c. This function incorrectly compares one xApp ID against itself, rather than against the ID of another xApp, thereby neglecting the xApp identity dimension. As a result, a malicious xApp connected to the iApp can delete subscriptions of other xApps by sending a deletion request with a matching subscription ID. This vulnerability disrupts multi-tenant isolation in environments where multiple xApps share the same RIC.

A divide-by-zero vulnerability has been identified in OpenAirInterface5G version 2.4.0, specifically within the 'nr-softmodem' component that integrates with the FlexRIC E2 Agent. The issue arises in the E2SM-KPM RAN Function's calculation of Physical Resource Block (PRB) utilization metrics. The vulnerability occurs in the 'fill_RRU_PrbTotDl()' and 'fill_RRU_PrbTotUl()' functions, where PRB usage percentages are computed by dividing the total PRB aggregate samples from two consecutive intervals. This calculation fails to verify if the divisor is zero. When a malicious xApp transmits a large volume of 'E42_RIC_SUBSCRIPTION_REQUEST' messages through the FlexRIC iApp, the E2 Agent responds by generating KPM Indication reports at a high frequency. If two successive sampling intervals have the same PRB aggregate values, the division by zero triggers a SIGFPE signal, causing the 'nr-softmodem' process to crash. This failure disrupts 5G cell service for all connected User Equipments (UEs). Notably, no authentication is required to exploit this vulnerability.

A vulnerability in EURECOM FlexRIC version 2.0.0 allows for a denial-of-service condition by causing the iApp to crash when registering duplicate xapp_ids. This issue arises because the application uses a 16-bit counter for xapp_id assignments, which wraps around after approximately 65,530 requests. The wrapped value is then stored in a 32-bit message field, leading to duplicates. A remote attacker can exploit this by repeatedly sending xApp registration requests, causing the iApp to crash when it encounters a duplicate ID.

A NULL pointer dereference vulnerability has been identified in EURECOM FlexRIC version 2.0.0. This issue occurs in the near-RT RIC when it receives a RIC_INDICATION message containing a ran_func_id that is not registered in its service model registry. The absence of a valid ran_func_id leads to a NULL pointer dereference, causing a crash. In Debug builds, this triggers an assertion failure (SIGABRT), while in Release builds, it results in a segmentation fault (SIGSEGV). A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value over SCTP to port 36421.

A reachable assertion vulnerability has been identified in EURECOM FlexRIC version 2.0.0. This vulnerability occurs in the E2AP message decoding process when the ASN.1 Packed Encoding Rules (PER) decoding fails. A remote, unauthenticated attacker can exploit this issue by sending any non-PER byte sequence, such as a single byte with the value 0x00, over the Stream Control Transmission Protocol (SCTP) to the near-RT RIC on port 36421 or to the iApp on port 36422. The vulnerability leads to a process crash via a SIGABRT signal. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected.

A reachable assertion vulnerability has been identified in FlexRIC version 2.0.0. The issue arises in the function 'e2ap_recv_sctp_msg()' within the file 'src/lib/ep/e2ap_ep.c'. This function allocates a fixed receive buffer of 32KB and asserts that the return value from 'sctp_recvmsg()' is less than the buffer length. A remote, unauthenticated attacker can exploit this vulnerability by sending an SCTP message with a payload of 32,768 bytes or more, causing the near-RT RIC, iApp, E2 Agent, or xApp process to crash by triggering a SIGABRT signal. The payload does not need to be a valid E2AP PDU. All four types of SCTP endpoints (ports 36421 and 36422) are affected. In release builds, the absence of the assertion due to optimization allows for a signed-to-unsigned integer overflow, potentially leading to out-of-bounds reads.

A NULL pointer dereference vulnerability has been identified in EURECOM FlexRIC version 2.0.0. When the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST that references a non-existent E2 node, the lookup function fails and returns NULL. This failure is handled by an assertion in Debug builds, causing the process to abort, while in Release builds, the NULL pointer is dereferenced, leading to a segmentation fault. As a result, the iApp process can be crashed by sending a subscription request with an arbitrary global_e2_node_id to the iApp's SCTP port 36422.

A vulnerability in Capsule, a multi-tenancy framework for Kubernetes, allows namespace hijacking through unvalidated update requests via the namespace/status and namespace/finalize subresource APIs. Prior to version 0.13.0, Capsule's webhook validation did not cover these subresources, enabling tenant administrators with the right permissions to modify namespace metadata and hijack namespaces. This issue has been addressed in version 0.13.0.

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Kiteworks Secure Data Forms versions prior to 9.3.0. This vulnerability allows authenticated attackers to manipulate the internal approval flow configurations of forms belonging to other users, due to inadequate authorization checks on resource ownership.

A vulnerability in Capsule, a multi-tenancy framework for Kubernetes, allows tenant administrators to exploit the Capsule Controller's cluster-admin privileges to create cluster-scoped resources. This issue, present in Capsule versions through 0.12.4, enables cross-tenant privilege escalation and cluster-level attacks. The vulnerability arises because the TenantResource processing logic attempts to set the namespace for resources, but this is ignored for cluster-scoped items. As a result, tenant administrators can indirectly create resources like ClusterRoles and ValidatingWebhookConfigurations, which they are normally prohibited from creating, and use these resources to launch attacks across the cluster.