CVE Catalog

A vulnerability exists in all versions of Cloud Foundry Diego Release prior to v56.0.0, specifically within the SMB volume handling of the smb-volume-release component, all versions prior to v3.60.0. This vulnerability allows low-privileged Cloud Foundry space developers to bypass input validation on CIFS mount options, injecting arbitrary options that could lead to privilege escalation and security control bypass on multi-tenant Diego cells. The issue arises from the SMB mount-option validation logic, where crafted mount options can evade the intended allowlist, which is meant to separate harmless SMB configurations from risky root filesystem operations on shared infrastructure.

A denial-of-service vulnerability has been identified in Spring Cloud Function, where an unbounded cache for function definitions can lead to an out-of-memory error. This issue arises when an excessive number of functions are added to the Function Registry. The vulnerability affects multiple Spring Cloud Function versions, including 3.2.x prior to 3.2.16, 4.1.x prior to 4.1.10, 4.2.x prior to 4.2.6, 4.3.x prior to 4.3.3, and 5.0.x prior to 5.0.2, as well as older, unsupported versions.

A denial-of-service vulnerability has been identified in VMware Spring Cloud Function. Under certain conditions, infinite recursion in the routing layer can lead to out-of-memory errors. This issue affects Spring Cloud Function versions 3.2.x prior to 3.2.16, 4.1.x prior to 4.1.10, 4.2.x prior to 4.2.6, 4.3.x prior to 4.3.3, 5.0.x prior to 5.0.2, and older, unsupported versions.

A vulnerability in FlexRIC version 2.0.0 allows remote unauthenticated attackers to impersonate xApps by exploiting the unverified xapp_id field in E42 message payloads. The issue arises because the validation function only ensures that the xapp_id is within a designated range, without confirming its association with the sender's SCTP connection. This flaw can lead to misrouted responses, causing disruptions that may crash the targeted xApp, the near-RT RIC, or the iApp through inconsistencies in the red-black tree data structure.

An authorization bypass vulnerability has been identified in FlexRIC version 2.0.0, specifically within the iApp's xApp isolation mechanism. The issue arises in the equality function eq_xapp_ric_gen_id(), located in src/ric/iApp/xapp_ric_id.c. This function incorrectly compares one xApp ID against itself, rather than against the ID of another xApp, thereby neglecting the xApp identity dimension. As a result, a malicious xApp connected to the iApp can delete subscriptions of other xApps by sending a deletion request with a matching subscription ID. This vulnerability disrupts multi-tenant isolation in environments where multiple xApps share the same RIC.

A divide-by-zero vulnerability has been identified in OpenAirInterface5G version 2.4.0, specifically within the 'nr-softmodem' component that integrates with the FlexRIC E2 Agent. The issue arises in the E2SM-KPM RAN Function's calculation of Physical Resource Block (PRB) utilization metrics. The vulnerability occurs in the 'fill_RRU_PrbTotDl()' and 'fill_RRU_PrbTotUl()' functions, where PRB usage percentages are computed by dividing the total PRB aggregate samples from two consecutive intervals. This calculation fails to verify if the divisor is zero. When a malicious xApp transmits a large volume of 'E42_RIC_SUBSCRIPTION_REQUEST' messages through the FlexRIC iApp, the E2 Agent responds by generating KPM Indication reports at a high frequency. If two successive sampling intervals have the same PRB aggregate values, the division by zero triggers a SIGFPE signal, causing the 'nr-softmodem' process to crash. This failure disrupts 5G cell service for all connected User Equipments (UEs). Notably, no authentication is required to exploit this vulnerability.

A vulnerability in EURECOM FlexRIC version 2.0.0 allows for a denial-of-service condition by causing the iApp to crash when registering duplicate xapp_ids. This issue arises because the application uses a 16-bit counter for xapp_id assignments, which wraps around after approximately 65,530 requests. The wrapped value is then stored in a 32-bit message field, leading to duplicates. A remote attacker can exploit this by repeatedly sending xApp registration requests, causing the iApp to crash when it encounters a duplicate ID.

A NULL pointer dereference vulnerability has been identified in EURECOM FlexRIC version 2.0.0. This issue occurs in the near-RT RIC when it receives a RIC_INDICATION message containing a ran_func_id that is not registered in its service model registry. The absence of a valid ran_func_id leads to a NULL pointer dereference, causing a crash. In Debug builds, this triggers an assertion failure (SIGABRT), while in Release builds, it results in a segmentation fault (SIGSEGV). A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value over SCTP to port 36421.

A reachable assertion vulnerability has been identified in EURECOM FlexRIC version 2.0.0. This vulnerability occurs in the E2AP message decoding process when the ASN.1 Packed Encoding Rules (PER) decoding fails. A remote, unauthenticated attacker can exploit this issue by sending any non-PER byte sequence, such as a single byte with the value 0x00, over the Stream Control Transmission Protocol (SCTP) to the near-RT RIC on port 36421 or to the iApp on port 36422. The vulnerability leads to a process crash via a SIGABRT signal. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected.

A reachable assertion vulnerability has been identified in FlexRIC version 2.0.0. The issue arises in the function 'e2ap_recv_sctp_msg()' within the file 'src/lib/ep/e2ap_ep.c'. This function allocates a fixed receive buffer of 32KB and asserts that the return value from 'sctp_recvmsg()' is less than the buffer length. A remote, unauthenticated attacker can exploit this vulnerability by sending an SCTP message with a payload of 32,768 bytes or more, causing the near-RT RIC, iApp, E2 Agent, or xApp process to crash by triggering a SIGABRT signal. The payload does not need to be a valid E2AP PDU. All four types of SCTP endpoints (ports 36421 and 36422) are affected. In release builds, the absence of the assertion due to optimization allows for a signed-to-unsigned integer overflow, potentially leading to out-of-bounds reads.

A NULL pointer dereference vulnerability has been identified in EURECOM FlexRIC version 2.0.0. When the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST that references a non-existent E2 node, the lookup function fails and returns NULL. This failure is handled by an assertion in Debug builds, causing the process to abort, while in Release builds, the NULL pointer is dereferenced, leading to a segmentation fault. As a result, the iApp process can be crashed by sending a subscription request with an arbitrary global_e2_node_id to the iApp's SCTP port 36422.

A vulnerability in Capsule, a multi-tenancy framework for Kubernetes, allows namespace hijacking through unvalidated update requests via the namespace/status and namespace/finalize subresource APIs. Prior to version 0.13.0, Capsule's webhook validation did not cover these subresources, enabling tenant administrators with the right permissions to modify namespace metadata and hijack namespaces. This issue has been addressed in version 0.13.0.

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Kiteworks Secure Data Forms versions prior to 9.3.0. This vulnerability allows authenticated attackers to manipulate the internal approval flow configurations of forms belonging to other users, due to inadequate authorization checks on resource ownership.

A vulnerability in Capsule, a multi-tenancy framework for Kubernetes, allows tenant administrators to exploit the Capsule Controller's cluster-admin privileges to create cluster-scoped resources. This issue, present in Capsule versions through 0.12.4, enables cross-tenant privilege escalation and cluster-level attacks. The vulnerability arises because the TenantResource processing logic attempts to set the namespace for resources, but this is ignored for cluster-scoped items. As a result, tenant administrators can indirectly create resources like ClusterRoles and ValidatingWebhookConfigurations, which they are normally prohibited from creating, and use these resources to launch attacks across the cluster.

A vulnerability exists in Bottelet DaybydayCRM versions prior to 2.2.1, where an unknown function in the Settings Handler component lacks proper authentication. This flaw allows for remote exploitation, as it enables unauthorized users to manipulate settings. Specifically, any authenticated employee can change critical company settings such as currency, VAT rates, and invoice numbering. Additionally, the absence of authorization checks on delete operations across various resource types allows users to delete clients, tasks, leads, projects, and more without permission.

A vulnerability allowing improper authorization has been identified in Bottelet DaybydayCRM versions prior to 2.2.1. The issue resides in the DocumentsController, where the view and download functions for documents lack proper ownership checks. This flaw enables any authenticated user to access documents belonging to other users by exploiting the external_id reference. Additionally, similar authorization checks are missing in the updateAssign methods of the Tasks, Projects, and Leads controllers, creating further authorization gaps.

A vulnerability exists in Enderfga Claw-Orchestrator versions prior to 3.5.6, specifically within the embedded server component of the API endpoint. The issue arises because the server does not require authentication by default, allowing unauthorized access to critical functions. This vulnerability can be exploited remotely if the server is configured to accept external connections.

A server-side request forgery (SSRF) vulnerability has been identified in Horizon921 MCPilot version 0.1.0. The issue arises in the MCP API Call Endpoint, specifically within the file client/src/app/api/mcp/call/route.ts. The vulnerability allows remote attackers to manipulate the serverBaseUrl argument, leading to unauthorized requests being sent to internal or local services.

A command injection vulnerability exists in Wezterm-MCP version 0.1.0. The issue arises in the 'switch_pane' and 'write_to_specific_pane' functions within 'src/wezterm_executor.ts'. The vulnerability allows remote execution of arbitrary OS commands by manipulating the 'pane_id' argument. Although the tool schema specifies that 'pane_id' should be a number, this requirement is not enforced at runtime. Instead, the application passes the argument to shell command strings executed via 'child_process.exec', creating an opportunity for command injection.

A path traversal vulnerability has been identified in Ishayoyo's Excel-MCP tool, specifically in versions up to 1.0.2. The issue arises in the file 'src/index.ts' within the 'read_file/write_file' component. The vulnerability allows for arbitrary file read and write operations by manipulating file path arguments. This exploitation can be performed remotely. The vulnerability has been publicly disclosed, and the project maintainers have not yet responded to reports about this issue.

A vulnerability exists in j3k0 mcp-google-workspace versions through 831790e7d5c2663325733d9f5579cc339a267c4c. The issue is in the Gmail tool's attachment saving function, which fails to properly validate user-supplied file paths. This flaw allows an attacker to write attachment content to arbitrary locations on the server where the process has write permissions. The vulnerability can be exploited remotely, and the published exploit takes advantage of this flaw by sending a crafted request that includes a path to a file on the victim's system.

A vulnerability has been identified in the Input Method Manager Service of Android XR, specifically in the addInputMethodListener function. This vulnerability arises from a missing permission check, which could allow unauthorized access to input text without the necessary permissions. The issue could lead to local privilege escalation, and can be exploited without any additional execution privileges or user interaction.

A command injection vulnerability has been identified in the launch-editor package, specifically in versions through 2.8.2. The issue arises from inadequate sanitization of the file argument in the launchEditor function, allowing attackers to execute arbitrary commands on Windows systems. This vulnerability can be exploited by supplying a filename that includes special characters. The problem has been addressed in launch-editor version 2.9.0, which is compatible with Vite version 5.4.9.

A vulnerability in Python's pip package manager allows console_scripts and gui_scripts to be treated as paths rather than filenames. This issue arises because pip does not properly sanitize the resolved absolute path to the installation directory. As a result, entry points can be installed outside the intended installation directory.

A vulnerability in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows improper access control, enabling user-mode processes to interact with the PCTCoreDriver WDM device interface and execute privileged IOCTL handlers. This issue arises because the driver does not implement a secure access control policy, leaving the device interface exposed to unprivileged processes. As a result, a local attacker with the ability to load the affected driver can exploit this vulnerability to perform sensitive operations, such as accessing credentials from lsass.exe or terminating protected processes.

A vulnerability in the Linux kernel's CIFS (Common Internet File System) implementation allows userspace to create keys that bypass kernel-originating input checks. This is achieved by using the request_key or add_key system calls to inject authority-bearing fields, such as process ID, user ID, and upcall target, into the CIFS SPNEGO key descriptions. The CIFS upcall handler then processes these fields as if they originated from the kernel, potentially leading to unauthorized actions or access.

A vulnerability exists in Sulu, an open-source PHP content management system, prior to versions 2.6.23 and 3.0.6. The issue arises because the password reset token and API key generation processes utilize a weak cryptographic hash algorithm. This vulnerability has been addressed in the mentioned versions.

A vulnerability in Nextcloud Forms prior to version 5.2.6 allows users to access form submissions of other users due to a missing permissions check. This issue has been addressed in version 5.2.6.

A vulnerability in Nextcloud Talk prior to versions 21.1.10, 22.0.11, and 23.0.3 allows low-privileged users to mute the microphones of other users during calls, but only when the High-performance Backend is not installed. This issue has been addressed in the mentioned patched versions.

A vulnerability exists in the Nextcloud Team Folders (Groupfolders) application, affecting versions 17.0.0 prior to 17.0.15, 18.0.0 prior to 18.1.12, 19.0.0 prior to 19.1.16, 20.0.0 prior to 20.1.11, and 21.0.0 prior to 21.0.4. The issue allows users with READ and CREATE permissions, but without UPDATE permissions, to rename files in team folders. This bypass of rename restrictions is due to inadequate rule checking in the application's access control list (ACL) management.

A vulnerability exists in Nextcloud's End-to-End Encryption feature, specifically in versions 1.15.0 prior to 1.15.4, 1.16.0 prior to 1.16.3, 1.17.0 prior to 1.17.1, and 1.18.0 prior to 1.18.1. This issue allows a malicious user with access to an encrypted files drop link to inadvertently drop files into other encrypted folders belonging to the share owner. However, this vulnerability does not permit reading or modifying of other files.

A vulnerability exists in Nextcloud Server versions 32.0.0 prior to 32.0.9 and 33.0.0 prior to 33.0.3, as well as in Nextcloud Enterprise Server versions 26.0.0, 27.0.0, 28.0.0, 29.0.0, 30.0.0, 31.0.0, 32.0.0, and 33.0.0. When a malicious user has access to a file share, they can use the share token to access chunked uploads directly, revealing temporary part files of ongoing uploads.

A vulnerability exists in the User OIDC app for Nextcloud, specifically in versions 0.3.0 prior to 3.1.0, 5.0.0 prior to 5.1.0, and 6.0.0 prior to 6.4.0. The issue arises from a missing signature verification in the handling of OpenID Connect (OIDC) user authentication, which allows a malicious ID4me authority to impersonate any user. This vulnerability could lead to unauthorized identification and potentially allow for further exploitation within the application.

A vulnerability exists in the Nextcloud Server and Nextcloud Enterprise Server within specific version ranges, related to the Circles app. The issue arises from a missing access check at the API level, which allows the addition of unknown circles by their ID to other circles. Although the complexity of circle IDs makes this vulnerability difficult to exploit intentionally, there is a possibility of tracking memberships if an ID is obtained from another source. Users are advised to upgrade to the latest versions to address this vulnerability.

A vulnerability in Nextcloud Collectives versions 2.6.0 prior to 4.3.0 allows view-only guests to access deleted pages from the trashbin. This occurs when a collective is shared view-only and previous pages are deleted. The issue has been resolved in version 4.3.0.

A vulnerability in the Nextcloud Files app for Android, versions 33.0.0 prior to 33.1.0, allows users to bypass the app's PIN code lock. After unlocking a locked Android phone, the back button could be used to navigate past the PIN prompt, potentially exposing sensitive files or information.

A vulnerability exists in CloudPirates Open Source Helm Charts GitHub Actions workflows, specifically in 'generate-schema.yaml', prior to commit fcf9302. The issue arises from unsafe handling of credentials during the checkout process, which exposes sensitive information, including a Personal Access Token and an SSH signing key, to fork-controlled code. This vulnerability allows attackers to extract the token from Git credentials and access the SSH key, potentially leading to unauthorized actions such as pushing code, modifying workflows, or forging signed commits.

A vulnerability exists in CloudPirates Open Source Helm Charts within the GitHub Actions workflow 'pull-request.yaml'. Prior to commit fcf9302, this workflow executed code controlled by attackers from forked pull requests in a privileged context. This behavior exposed repository secrets, including Docker Hub credentials and tokens, without requiring approval from maintainers. The issue has been patched in commit fcf9302.

A vulnerability exists in Go Billy, a filesystem abstraction library, in versions prior to 5.9.0 and 6.0.0-alpha.1. Multiple components may mishandle crafted or malformed input, causing panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These problems stem from inadequate validation and the absence of safety mechanisms like cycle detection, recursion limits, or defensive handling of unexpected states when dealing with untrusted repository data and filesystem structures.

A cross-origin WebSocket hijack vulnerability has been identified in Cline Kanban servers, specifically in versions prior to 2.13.0. This vulnerability allows any website visited by a developer to silently connect to the Kanban server's WebSocket endpoints without Origin header validation. As a result, sensitive data can be leaked in real-time, including workspace filesystem paths, task details, git branch information, and AI agent chat messages. Additionally, the vulnerability enables hijacking of active AI agent terminals by injecting prompts, leading to remote code execution. It also allows termination of running agent tasks via a control WebSocket.

A path traversal vulnerability has been identified in the WordPress Classified Listing plugin, specifically in versions through 5.3.8. This vulnerability allows for arbitrary file download, enabling attackers to download any file from the affected website, including sensitive files such as login credentials or backup files.

A DOM-based cross-site scripting vulnerability has been identified in the Liquid Web StellarWP GiveWP plugin, affecting versions through 4.14.5. This issue arises from improper input neutralization during web page generation, allowing malicious actors to inject and execute scripts on the affected site.

A broken access control vulnerability has been identified in the WP Document Revisions plugin by Ben Balter, affecting versions through 3.8.1. This vulnerability arises from missing authorization checks, which can be exploited by unprivileged users to perform actions reserved for higher privileges.

A stored cross-site scripting vulnerability has been identified in the myCred WordPress plugin, affecting versions through 3.0.4. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A broken access control vulnerability has been identified in the Themefic Hydra Booking WordPress plugin, affecting versions through 1.1.41. This vulnerability arises from missing authorization checks, which can be exploited by unprivileged users to perform actions reserved for higher privileges.

An authentication bypass vulnerability has been identified in the WordPress Advanced Access Manager plugin, specifically in versions through 7.1.0. This vulnerability allows for URL encoding to be used to bypass authentication mechanisms within the plugin.

A vulnerability allowing the exposure of sensitive information has been identified in the Logtivity WordPress plugin, specifically in the Activity Logs, User Activity Tracking, and Multisite Activity Log features. This issue affects versions through 3.3.6.

A blind SQL injection vulnerability has been identified in the WP Directory Kit WordPress plugin, affecting versions through 1.5.1. This vulnerability allows attackers to manipulate SQL queries, potentially leading to unauthorized data access or modification.

A broken access control vulnerability has been identified in the WordPress GeoDirectory plugin, affecting versions through 2.8.157. This vulnerability arises from missing authorization checks, allowing unprivileged users to perform actions reserved for higher privileges.

A vulnerability exists in European Space Agency (ESA) AnomalyMatch versions prior to 1.3.1, allowing attackers to execute arbitrary code by exploiting unsafe deserialization in the model checkpoint loader. The application loads model files from session directories using torch.load() with unrestricted deserialization, creating a risk when maliciously crafted checkpoint files are introduced into the workflow.