CVE Catalog

A Server-Side Request Forgery (SSRF) vulnerability exists in the Faizaan Gagan Course Migration for LearnDash plugin, specifically in version 1.0.2. This vulnerability allows attackers to make the server perform requests to arbitrary domains, potentially leading to the exposure of sensitive information from other services running on the system.

A stored cross-site scripting vulnerability has been identified in the AGILELOGIX Free Google Maps WordPress plugin, affecting versions through 1.0.1. This vulnerability allows attackers to inject malicious scripts that are executed when users visit the affected site.

A reflected cross-site scripting vulnerability has been identified in the Gallery Ape Photo Gallery WordPress plugin, affecting versions through 2.2.8. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A denial-of-service vulnerability has been identified in Mattermost versions 10.2.0, 9.11.5, 10.0.3, and 10.1.3. The issue arises because these versions do not properly validate the style of proto supplied to an action's style in post.props.attachments. This flaw allows an attacker to crash the frontend by sending crafted malicious input.

A vulnerability has been identified in the SSL/TLS component of B&R Automation Runtime and B&R mapp View, both in versions prior to 6.1. This vulnerability involves the use of a broken or risky cryptographic algorithm, which can be exploited by unauthenticated, network-based attackers to impersonate services on affected devices. The flaw arises because these applications generate self-signed certificates during the boot process, using an algorithm that is no longer considered secure. This mechanism is intended for testing purposes only, not for production environments.

A broken access control vulnerability has been identified in the WordPress Poll Maker plugin, specifically in versions through 5.5.6. This vulnerability arises from missing authorization checks, allowing unprivileged users to perform actions reserved for higher privileges.

A cross-site scripting vulnerability has been identified in Observium CE version 24.4.13528, specifically within the add_alert_check page. This vulnerability allows for the execution of arbitrary JavaScript code through a specially crafted HTTP request. To exploit this issue, an authenticated user must click on a malicious link provided by an attacker.

A HTML code injection vulnerability has been identified in the VLAN management section of Observium Community Edition (CE) version 24.4.13528. This vulnerability allows an authenticated user to inject arbitrary HTML code by clicking on a malicious link. The injection is achieved through a specially crafted HTTP request that exploits the VLAN functionality by manipulating the 'vlan_id' parameter.

A cross-site scripting (XSS) vulnerability has been identified in the weather map editor of Observium CE version 24.4.13528. This vulnerability allows authenticated users to execute arbitrary JavaScript by clicking on a malicious link. The issue arises from improper input handling in the 'mapname' variable, which can be exploited by sending a crafted HTTP request.

A heap-based buffer overflow vulnerability has been identified in the Rsync daemon, specifically in versions 3.2.7 and 3.3.0. This vulnerability arises from improper handling of attacker-controlled checksum lengths, which can lead to out-of-bounds writes in the checksum buffer. When the maximum digest length exceeds a fixed limit of 16 bytes, an attacker can exploit this flaw to overwrite memory, potentially leading to arbitrary code execution.

A denial-of-service vulnerability has been identified in CyberPower PowerPanel Business (PPB) versions through 4.11.0. The issue allows an unauthenticated remote attacker to disrupt the application by repeatedly restarting the ppbd.exe process. This is achieved through the PowerPanel Business Service Watchdog, which listens on TCP port 2003.

A vulnerability in the Linux kernel's handling of BIG TCP packets over IPv6 has been addressed. The issue arose because the kernel disabled hardware offload for IPv6 packets with extension headers on devices that support IPv6 checksum offload. This change led to warnings about bad offload for BIG TCP packets, which use an extension header to indicate packet length. The vulnerability specifically affected devices with BIG TCP TCP Segmentation Offload (TSO) enabled, where the extension header is present for packet capture but not transmitted over the network.

A vulnerability in OpenVPN OVPN-DCO for Windows, specifically in version 1.1.1, allows an unprivileged local attacker to send I/O control messages with invalid data to the driver. This action causes a NULL pointer dereference, which ultimately leads to a system crash.

A vulnerability in the Linux kernel's handling of the SO_REUSEPORT socket option has been addressed. The issue allowed crypto sockets to be inadvertently destroyed by a Read-Copy-Update (RCU) callback, as identified by the automated testing tool 'zyzbot'. This problem arose because acquiring a mutex within an RCU callback is prohibited. The vulnerability has been resolved by limiting the SO_REUSEPORT option to Internet sockets only. The initial patch version supported TCP, UDP, and SCTP sockets, but the functional test script required support for RAW and ICMP.

A vulnerability in the Linux kernel's af_packet component has been addressed, which involved improper handling of VLAN TCI (Traffic Class Identifier) in the 'vlan_get_tci()' function. The original issue, identified by syzbot, was related to the 'MSG_PEEK' flag, which was overlooked in a previous fix. This oversight could lead to a kernel crash. The vulnerability arose because the 'vlan_get_tci()' function modified the socket buffer (skb) in a way that was not thread-safe, allowing potential crashes when accessed by multiple CPUs simultaneously. The issue was resolved by reworking the function to avoid altering the skb, thereby ensuring safe concurrent usage.

A vulnerability in the Linux kernel's af_packet component has been addressed. The issue arose in the 'vlan_get_protocol_dgram()' function, which improperly handled the 'MSG_PEEK' flag. This oversight could lead to a kernel crash, as reported by syzbot. The flawed function version 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 was part of a commit that neglected to account for 'MSG_PEEK', allowing a crash to occur. The vulnerability was rooted in the function's manipulation of the socket buffer (skb), which could disrupt processing when accessed by multiple CPUs simultaneously. The issue triggered a kernel bug, indicating an invalid operation code, and was accompanied by a stack trace showing the error's origin in the 'net/core/skbuff.c' file.

A race condition vulnerability has been identified in the Linux kernel's Inline Local Address (ILA) handling, specifically within the netfilter framework. This vulnerability allows for a use-after-free condition, which can be exploited by concurrent ILA_CMD_ADD commands. The issue arises because calls to nf_register_net_hooks() are not properly serialized, leading to potential memory corruption.

A vulnerability in the Linux kernel's mac80211 component can lead to incorrect handling of bit flags on 32-bit systems. This issue arises because the unsigned long data type is 4 bytes, while a u64 is 8 bytes. The vulnerability occurs when the code improperly searches for bits in a 32-bit variable that should be 64 bits, causing errors in bit detection. The problem has been addressed by ensuring that the size of the bits variable is correctly aligned with the architecture.

A vulnerability in the Linux kernel's Wi-Fi management component, cfg80211, has been addressed. The issue arose during the process of deleting a link, where the link ID was prematurely removed from the valid_links bitmap before necessary clean-up tasks were completed. This premature removal caused a warning to be triggered, as certain functions, like cfg80211_cac_event(), require the link ID to remain in the bitmap during the deletion process. The vulnerability has been resolved by adjusting the sequence of operations, ensuring the link ID is cleared from the bitmap only after all clean-up activities are finished.

A vulnerability in the Linux kernel's DMA mapping for AMD's Kernel Fusion Driver (KFD) migration has been addressed. The issue arose because the DMA migration direction was not aligned with the unmap direction, leading to warnings from the DMA core. This misalignment could cause improper synchronization during migration operations, potentially affecting performance. The vulnerability has been resolved by setting the DMA map direction to bidirectional, ensuring proper synchronization and alignment.

A use-after-free vulnerability has been identified in the Linux kernel's Btrfs file system. This issue arises during the unmount process, specifically when the cleaner kernel thread is stopped before all work queues are cleared. As a result, a worker from the delalloc_workers queue may still be active, attempting to wake up the already-destroyed cleaner thread. This leads to a use-after-free condition on the task_struct associated with the cleaner thread.

A vulnerability in the Linux kernel's ksmbd component has been addressed. The issue arose because ksmbd was setting access time and modification time attributes without also updating the change time attribute, leading to a warning. The vulnerability was related to improper attribute management in the file system.

A race condition vulnerability has been identified in the Linux kernel's Advanced Linux Sound Architecture (ALSA) sequencer OSS layer. This issue arises when the OSS sequencer processes SysEx messages that are divided into 6-byte packets. The OSS layer attempts to reassemble these packets, but the current implementation allows for concurrent access to the internal buffer, leading to potential out-of-bounds memory access. To address this issue, a mutex has been introduced to serialize the processing of SysEx message packets.

A slab-use-after-free vulnerability has been identified in the Linux kernel's OCFS2 file system. This issue arises when OCFS2 is mounted and then remounted as read-only. During this process, a dangling pointer, dqi_priv, is created after a syscall to quota_getnextquota is used. The pointer is freed during the remounting but not set to null, leading to unauthorized access. Additionally, the read-only remounting applies the DQUOT_SUSPENDED flag instead of the DQUOT_USAGE_ENABLED flag, causing further complications in quota management.

A vulnerability in the Linux kernel's sched_ext component has been addressed. The issue arose from an improper interrupt request (IRQ) restoration in the 'scx_ops_bypass()' function. When implementing additional outer IRQ save/restore locking, the change inadvertently left an inner 'rq_unlock_irqrestore()' unconverted. This oversight could have prematurely re-enabled IRQs, triggering a warning about the raw_local_irq_restore() being called with IRQs already enabled. The warning indicated a potential race condition that could be exploited.

An integer overflow vulnerability has been identified in the Linux kernel's RDMA/uverbs component. This issue arises from user-supplied values in the 'cmd.wqe_size' and 'cmd.wr_count' variables, where their multiplication can lead to integer wrapping. The resulting value is then passed to 'uverbs_request_next_ptr()', which could also be susceptible to wrapping. Additionally, on 32-bit systems, the multiplication of 'cmd.sge_count' and 'sizeof(struct ib_uverbs_sge)' can overflow, although this is not a concern on 64-bit systems.

A vulnerability in the Linux kernel's pinctrl MCP23S08 driver can lead to sleeping functions being called from an invalid context, causing potential disruptions in IRQ handling for devices using MCP23xxx IO expanders. This issue arises because the driver’s regmap locking mechanism, which employs a mutex to prevent concurrent access, conflicts with the IRQ setup process that requires locking a spinlock. The vulnerability has been addressed by modifying the regmap configuration to disable internal locking and by adding appropriate synchronization in the driver's pin configuration functions.

A vulnerability in the Linux kernel's workqueue management has been addressed. The issue arose after a previous commit marked certain work queues as memory reclaim safe. This led to warnings when cancelling work from contexts not considered memory reclaim safe, even when it was safe to do so. The vulnerability could cause unnecessary warnings and potential confusion in the workqueue management process.

A use-after-free vulnerability has been identified in the Linux kernel's DRM subsystem, specifically within the ADV7511 driver. The issue arises in the 'adv7533_attach_dsi()' function, which improperly uses a pointer that has already been freed. This vulnerability was introduced when the 'host_node' pointer was assigned and then released in the 'adv7533_parse_dt()' function. The problem is resolved by removing the 'of_node_put()' call in 'adv7533_parse_dt()' and instead placing it in the error handling path of the 'probe()' function and the 'remove()' function.

A memory leak vulnerability has been identified in the Linux kernel's DAMON (Data Access Monitoring) subsystem, specifically within the sysfs interface. The issue arises from two bugs in the functions 'damon_commit_targets()' and 'damon_commit_schemes()', which are called by 'damon_commit_ctx()'. These bugs can lead to the leakage of memory objects and the ignoring of some user inputs. The vulnerability affects only users of the DAMON sysfs interface, while other DAMON core API user modules, such as DAMON_RECLAIM and DAMON_LRU_SORT', are not impacted.

A vulnerability in the Linux kernel's kmemleak subsystem can lead to a warning about sleeping functions being called from an invalid context. This issue occurs under specific conditions: when the kernel is configured with real-time preemption, SELinux is active, kptr_restrict is set to 1, and the kmemleak buffer contains at least one item. The vulnerability arises because the kmemleak sequence reading function attempts to access certain capabilities, which can trigger the 'sleeping function called from invalid context' warning, particularly in real-time preemptive kernels.

A vulnerability in the Linux kernel's memory management system can cause a denial-of-service condition by creating an infinite loop in the 'throttle_direct_reclaim()' function. This issue arises when the 'allow_direct_reclaim(pgdat)' function consistently returns false, causing the system to improperly manage memory zones, particularly under pressure. The problem is exacerbated in systems without swap space, leading to incorrect assessments of memory availability and zone balance. As a result, the kernel can become unresponsive, with tasks stuck in the reclaim process.

A vulnerability in the Linux kernel's handling of hugetlb memory can lead to a page table leak. The issue arises because the folio reference count may be unexpectedly increased by functions like split_huge_pages. This incorrect refcounting can cause the page table to be improperly managed, leading to a 'Bad page state' error. The vulnerability is present in version 6.13.0-rc2 and may be triggered by various processes that increase the reference count of the page table.

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation has been identified, which can lead to data stream corruption. This issue arises from a bug in the computation of MPTCP option lengths, particularly with the ADD_ADDR option, which can interfere with the previously established DSS option. The vulnerability was reported by Syzbot, highlighting a general protection fault related to non-canonical addresses, indicating a null pointer dereference. The flaw allows for improper handling of TCP options, potentially leading to a privilege escalation.

A use-after-free vulnerability in the Linux kernel's RDMA/SIW component has been addressed. The issue arose from a poorly managed direct link to net_device, which caused a 'KASAN: slab-use-after-free' exception during the siw_query_port() call. The vulnerability has been resolved by removing the direct link and relying on the net_device management of associated ib_devices, thereby eliminating redundant local management.

A vulnerability in the Linux kernel's DRM/XE component can lead to a page fault when userspace closes a file descriptor (fd) after unbinding the device. This issue occurs because the driver attempts to access the hardware while the fd is still open, causing a supervisor read access page fault in kernel mode. The vulnerability has been addressed by ensuring the driver properly manages device access during the fd closure process.

A memory leak vulnerability has been identified in the Linux kernel's TCP connection request processing. When the function 'inet_csk_reqsk_queue_hash_add()' fails, the 'tcp_conn_request()' function exits without releasing the destination memory allocated during the routing request. This oversight leads to unreferenced memory objects, causing a memory leak. The vulnerability was discovered through the kernel memory leak detector, kmemleak.

A vulnerability exists in the Linux kernel's Netrom implementation, specifically within the AX.25 protocol handling. The issue arises from the Netrom route management not properly validating the size of the received buffer before processing it. This oversight can lead to the use of uninitialized data, potentially causing unpredictable behavior or information leakage. The vulnerability was identified by the Linux Verification Center using Syzkaller, a fuzzing tool that discovered the issue while sending raw messages through the IEEE 802.154 implementation.

A use-after-free vulnerability has been identified in the Linux kernel's net/mlx5e component. This issue arises during the driver unload process when unregister_netdev is called after the vport rep has been unloaded. As a result, the mlx5e_rep_priv structure is already freed, leading to attempts to access rpriv->netdev or traverse rpriv->tc_ht', which causes the use-after-free condition. The vulnerability has been addressed by adding checks to ensure that the data of the vport rep is only accessed when it is still loaded.

A slab-use-after-free vulnerability has been identified in the Linux kernel's RDMA/rxe component. This issue arises when a net device is freed while an asynchronous work event is still queued to access it, leading to a use-after-free condition. The vulnerability was discovered during the execution of a workqueue task that processed a cached event for an Infiniband device, after the associated net device had already been unregistered and freed. This flaw allows for memory corruption, which could potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

A vulnerability in the Linux kernel's netfilter component allows for an unaligned atomic read on the 'genmask' field of the 'nft_set_ext' structure. This misalignment can lead to a kernel paging request error, causing a memory access fault. The issue arises from the 'nft_set_ext' structure not being properly aligned to the word size, which is necessary for atomic operations. As a result, accessing certain fields can trigger alignment faults, disrupting normal kernel operations.

A vulnerability in the Linux kernel's NVMe subsystem has been addressed. The issue arose in the 'nvmet_root_discovery_nqn_store' function, which improperly handled the 'subsysnqn' string as a fixed-size buffer. This oversight allowed for a buffer overflow, as the string is dynamically allocated. The vulnerability has been resolved by creating a new string using 'kstrndup', ensuring proper memory management.

A vulnerability in the Linux kernel's WWAN t7xx driver has been addressed, concerning a command timeout issue in the finite state machine (FSM) processing. The driver handles internal state change commands using an asynchronous thread. If the main thread detects a timeout, the asynchronous thread may cause a panic by attempting to execute a completion notification, since the main thread's completion object has already been released. This issue leads to a page fault error, as the system is unable to handle the fault for a specific address, causing a kernel panic.

A vulnerability in the Linux kernel's RDMA/rtrs component could lead to a NULL pointer dereference. This issue arises because the 'ib_sge list' variable was declared within the 'always_invalidate' block, restricting its accessibility. The vulnerability has been addressed by moving the declaration outside the block, ensuring the variable is available for use throughout the function.

A vulnerability allowing sensitive information exposure has been identified in the Elementor Addon Elements plugin for WordPress, affecting all versions through 1.13.10. The issue arises in the 'render' function of the modal-popup widget, where authenticated attackers with Contributor-level access or higher can access private, pending, scheduled, and draft template data.

A vulnerability exists in the FreeIPA API audit process, where the complete FreeIPA command line is sent to journalctl. This behavior unintentionally exposes administrative user credentials, including passwords, to the journal database during the FreeIPA installation. In scenarios where journal logs are centralized, this could lead to unauthorized access to FreeIPA administrator credentials.

A stored cross-site scripting vulnerability has been identified in the PDF for WPForms + Drag and Drop Template Builder plugin for WordPress, affecting all versions through 4.6.0. The vulnerability arises from inadequate input sanitization and output escaping on user-supplied attributes, particularly within the yeepdf_dotab shortcode. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which are executed when users access the affected pages.

A vulnerability exists in the NitroPack plugin for WordPress, allowing authenticated attackers with subscriber access or higher to update arbitrary transients. This issue arises from a missing capability check in the nitropack_rml_notification function, present in all versions through 1.17.0. The vulnerability is limited to updating transients with integer values.

A vulnerability exists in the NitroPack plugin for WordPress, in all versions through 1.17.0, allowing unauthorized data modification. This issue arises from a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action. Authenticated attackers with subscriber-level access or higher can exploit this vulnerability to change arbitrary options to a fixed value of '1'. This could activate certain features, such as user registration, or alter options in a way that causes a denial-of-service condition.

A UI spoofing vulnerability has been identified in Google Chrome versions prior to 132.0.6834.83. This issue arises from an inappropriate implementation in the Compositing component, which allows remote attackers to create crafted HTML pages that manipulate the user interface in misleading ways.