CVE Catalog

A stack-based buffer overflow vulnerability has been identified in the TRENDnet TEW-432BRP router, specifically in version 3.10B20. The issue arises in the 'formSetUrlFilter' function within the '/goform/formSetUrlFilter' file. The vulnerability allows for remote exploitation by manipulating the 'keyword_list' and 'keyword' arguments, leading to arbitrary code execution. This flaw exists in a product that has been end-of-life since 2009, and the vendor has stated that they are unable to replicate or fix any vulnerabilities for unsupported products.

A denial-of-service vulnerability has been identified in WinMTR version 0.91. This issue allows attackers to crash the application by sending a malformed payload file that contains a large buffer of repeated characters. The vulnerability is triggered when the application processes an input file with 238 bytes of data, leading to a buffer overflow condition that causes the application to crash.

An SQL injection vulnerability has been identified in Yot CMS version 3.3.1. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads into the aid and cid parameters. Exploitation of this vulnerability enables attackers to extract database information, including table and column names.

A SQL injection vulnerability has been identified in Gate Pass Management System version 2.1. This vulnerability allows unauthenticated attackers to bypass authentication by injecting SQL code into the login and password parameters. Exploitation involves sending crafted POST requests to the login-exec.php page with SQL injection payloads, enabling attackers to gain access to the application without valid credentials.

A SQL injection vulnerability has been identified in the MOGG Web Simulator Script, all versions. This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious payloads through the 'id' parameter. The exploitation of this vulnerability can lead to the extraction of sensitive database information, including usernames and other personal data. The issue arises in the 'play.php' file, where the application fails to properly sanitize user input before incorporating it into SQL queries.

A path traversal vulnerability has been identified in Open STA Manager version 2.3. This vulnerability allows authenticated users to download arbitrary files by manipulating the file parameter. By sending GET requests to modules/backup/actions.php with the operation set to 'getfile', attackers can traverse directories using '../' sequences to access sensitive system files.

A SQL injection vulnerability has been identified in AiOPMSD Final version 1.0.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the 'id' parameter. Exploitation involves sending crafted GET requests to watch.php, which can lead to the extraction of sensitive database information such as usernames, database names, and version details.

A SQL injection vulnerability has been identified in AiOPMSD Final version 1.0.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the genre parameter. Exploitation involves sending crafted GET requests to genre.php, which can lead to the extraction of sensitive database information such as usernames, database names, and version details.

A SQL injection vulnerability has been identified in AiOPMSD Final version 1.0.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the 'year' parameter. The issue arises in the 'year.php' file, where crafted SQL injections can be used to extract sensitive database information such as usernames, database names, and version details.

A SQL injection vulnerability has been identified in AiOPMSD Final version 1.0.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the 'quality' parameter. The issue is present in the 'quality.php' file, where crafted SQL injections can be used to extract sensitive database information such as usernames, database names, and version details.

A SQL injection vulnerability has been identified in AiOPMSD Final version 1.0.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the country parameter. The injection can be exploited by sending crafted GET requests to country.php, potentially leading to the extraction of sensitive database information such as usernames, database names, and version details.

A SQL injection vulnerability has been identified in AiOPMSD Final version 1.0.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the 'director' parameter. Exploitation involves sending crafted GET requests to 'director.php', which can lead to the extraction of sensitive database information such as usernames, database names, and version details.

A SQL injection vulnerability has been identified in AiOPMSD Final version 1.0.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the 'actor' parameter. Exploitation involves sending crafted GET requests to 'actor.php', which can lead to the extraction of sensitive database information such as usernames, database names, and version details.

A SQL injection vulnerability has been identified in AiOPMSD Final version 1.0.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the 'q' parameter. Exploitation involves sending crafted GET requests to search.php, which can lead to the extraction of sensitive database information such as usernames, database names, and version details.

An arbitrary file upload vulnerability has been identified in Delta SQL version 1.8.2. This vulnerability allows unauthenticated attackers to upload malicious files by sending POST requests with crafted multipart form data to docs_upload.php. The uploaded files, which can be PHP files containing arbitrary content, are saved in the upload directory where they can be executed on the server, leading to remote code execution.

A SQL injection vulnerability has been identified in MGB OpenSource Guestbook version 0.7.0.2. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the 'id' parameter in GET requests to email.php. Exploitation of this vulnerability could lead to the extraction of sensitive database information, including table and column names.

A SQL injection vulnerability has been identified in SIM-PKH version 2.4.1. This vulnerability allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code into the 'id' parameter. Exploitation involves sending GET requests to 'admin/media.php' with specific module and action parameters, including SQL UNION statements that can extract sensitive database information such as usernames and database details.

A vulnerability allowing arbitrary file upload has been identified in SIM-PKH version 2.4.1. This issue arises from the application's handling of file uploads through the 'fupload' parameter. Authenticated attackers can exploit this vulnerability by submitting PHP code disguised as a file via the 'aksi_pengurus.php' endpoint, using the 'module=pengurus' and 'act=update' parameters'. The uploaded PHP files are stored in the 'foto' directory, where they are executed as web scripts, potentially leading to unauthorized code execution on the server.

A path traversal vulnerability has been identified in the Open ISES Project version 3.30A, specifically within the ajax/download.php endpoint. This vulnerability allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. By inserting directory traversal sequences, attackers can access files outside the intended directory, including sensitive configuration and system files.

Multiple SQL injection vulnerabilities have been identified in eNdonesia Portal version 8.7. These vulnerabilities allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through various parameters in mod.php. The affected parameters include artid, cid, did, contid, and aboutid, across several modules such as publisher, diskusi, galeri, content, and about. Exploitation of these vulnerabilities could lead to unauthorized access to database information, including usernames, database names, and version details.

A SQL injection vulnerability has been identified in eNdonesia Portal version 8.7. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through various parameters in mod.php. The affected parameters include artid, cid, did, contid, and aboutid, across multiple modules such as publisher, diskusi, galeri, content, and about. Exploitation of this vulnerability could lead to the extraction of sensitive database information, including credentials, usernames, and version details.

Multiple SQL injection vulnerabilities have been identified in eNdonesia Portal version 8.7. These vulnerabilities allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through several parameters in mod.php. The vulnerable parameters include artid, cid, did, contid, and aboutid. Exploitation of these vulnerabilities could lead to the extraction of sensitive database information such as usernames, database names, and version details.

A stack-based buffer overflow vulnerability has been identified in the TRENDnet TEW-432BRP router, specifically in version 3.10B20. The issue arises in the 'formSetFirewallRule' function within the '/goform/formSetFirewallRule' file. The vulnerability can be exploited remotely by manipulating the 'firewall_name' argument, leading to arbitrary code execution. This product has been end-of-life since 2009, and the vendor has stated that they are unable to replicate or fix any vulnerabilities for unsupported products.

A stack-based buffer overflow vulnerability has been identified in the TRENDnet TEW-432BRP router, specifically in version 3.10B20. The issue arises in the 'formSetMACFilter' function within the '/goform/formSetMACFilter' file. The vulnerability allows for remote exploitation, where an attacker can manipulate the 'filter_name' argument to cause a buffer overflow on the stack. This overflow can be exploited to execute arbitrary code. The vulnerability has been publicly disclosed, but the product is no longer supported by the vendor, who has stated that they are unable to replicate or fix any vulnerabilities for a product that has been end-of-life since 2009.

A use-after-free vulnerability has been identified in the Linux kernel's eventpoll implementation, specifically within the epoll removal process. This issue arises when the ep_remove function clears the eventpoll file reference under a file lock but continues to use the file reference within the critical section. This creates a window where a concurrent __fput() operation can observe a null reference, bypass the proper cleanup, and free the associated eventpoll structure. The vulnerability is exacerbated by the fact that the file structure can be recycled while the ep_remove function is still executing, leading to an attacker-controlled memory corruption scenario.

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7. The issue arises in the shared HTTP/2 server used by various Service-Based Interface (SBI) network functions. When a client sends a large number of incomplete HTTP/2 requests, the server exhausts its allocation pools for stream and request management. This leads to a failure in handling incoming request headers, causing the associated network function to crash. The vulnerability can be exploited remotely, and the published exploit demonstrates this impact across all tested Open5GS SBI network functions.

A denial-of-service vulnerability has been identified in Open5GS versions prior to 2.7.7. The issue arises in the UE authentication endpoint, specifically within the function 'ogs_sbi_xact_add' in the file '/lib/core/ogs-timer.c'. The vulnerability can be exploited remotely, leading to a crash of the Authentication Server Function (AUSF) by exhausting the timer pool. This exploitation causes the AUSF to fail its authentication handling, resulting in a server crash.

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7. The issue arises in the shared NF-profile parser within the library 'lib/sbi/nnrf-handler.c'. When the 'dnnSmfInfoList' contains more entries than the parser can handle, it triggers an assertion failure, causing a crash. This vulnerability can be exploited remotely, leading to a process termination.

An out-of-bounds write vulnerability has been identified in Open5GS versions prior to 2.7.7. The issue arises in the shared NF-profile parser within the function handle_scp_info, located in lib/sbi/nnrf-handler.c. This vulnerability allows for remote memory corruption, leading to a segmentation fault and potential stack-smashing termination of the process.

A remote code execution vulnerability exists in the Spectra Gutenberg Blocks plugin for WordPress, affecting all versions up to and including 2.19.25. This vulnerability allows authenticated attackers with Contributor-level access and above to execute arbitrary code on the server. Exploitation involves embedding a two-block payload in post content. The first block registers a fake block type with an attacker-specified render callback, while the second block triggers the callback during block rendering on the same page request.

A vulnerability allowing authenticated (Subscriber+) account takeover has been identified in the Simple History WordPress plugin, in versions through 5.26.0. The issue arises in the event reaction endpoints, which lack proper authorization checks. This flaw enables a Subscriber-level user to exploit the endpoints, access sensitive information, and ultimately take over an administrator's account.

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7. The issue arises in the shared NF-profile parser within the file lib/sbi/nnrf-handler.c. When the 'tacRangeList' contains more entries than the parser can handle, it causes an assertion failure, leading to a crash. This vulnerability can be exploited remotely, and the crash occurs in the Network Function (NF) Repository Function (NRF), but the affected parser is used by multiple network functions.

A vulnerability in the SocketCAN implementation of Zephyr RTOS versions through 4.3 allows for out-of-bounds read operations, potentially leading to denial-of-service crashes or memory leaks. The issue arises because user-provided buffer lengths are only validated with an assertion that can be disabled in production builds. This allows applications to send incomplete or truncated frames, which are then processed without proper validation, causing the SocketCAN implementation to read beyond the buffer's end.

A stored cross-site scripting vulnerability has been identified in version 1.0 of Sambitraj Student Management System. The issue arises in the Dashboard Page component, where an unknown function fails to properly sanitize the 'Name' argument. This oversight allows for the injection of malicious scripts, which are executed when the dashboard is viewed. The vulnerability can be exploited remotely, and although the project has been notified, no response has been received.

A SQL injection vulnerability has been identified in Sambitraj Student Management System version 1.0. The issue arises in the Login Page component, where the application improperly handles the 'email' parameter. This flaw allows remote attackers to manipulate the SQL query executed by the application, potentially leading to unauthorized data access or modification. The vulnerability has been publicly disclosed and exploited.

A SQL injection vulnerability has been identified in Code-Projects Student Details Management System version 1.0. The issue resides in the 'index.php' file, where the 'roll' parameter in POST requests is vulnerable to injection. This flaw allows remote attackers to manipulate SQL queries, potentially leading to unauthorized data access or modification. The vulnerability is exploitable without authentication, making it accessible to any user.

A vulnerability in Exim versions 4.88 prior to 4.99.4, in certain proxy configurations, allows for the improper handling of short payloads. This mismanagement can lead to the disclosure of uninitialized stack memory values to a client. The issue arises in the proxy_protocol() function, where a PROXYv2 frame with specific characteristics can be exploited to read and leak memory that includes live userspace virtual addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections.

A race condition has been identified in the Extreme Platform One IAM Gateway API-key authentication process. Under specific high-concurrency traffic conditions, this vulnerability could intermittently allow requests authenticated with an Extreme Platform One/IAM-issued API key to access response data intended for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform One/Common Services API paths. Notably, XIQ-native tokens and standard OAuth/Bearer JWT authentication were not impacted.

A vulnerability exists in the StrongDM Desktop Application for Windows, all versions prior to 23.74.0, and the StrongDM Desktop Client, all versions prior to 53.77.0. These applications store authentication state, including a JSON Web Token and asymmetric key material, in cleartext within a per-user state file located at C:\Users\<username>\.sdm\state.kv. This file is only protected by default user-level NTFS permissions. Exploitation of this vulnerability requires local read access to the affected user's profile directory, along with additional deployment and execution conditions on the target host.

A vulnerability in FreeScout prior to version 1.8.221 allows non-admin users to permanently delete internal notes from conversations, even after their access to the relevant mailbox has been revoked. The issue arises because the deletion authorization policy does not check mailbox membership, enabling former team members to delete notes they created. This flaw can lead to unauthorized tampering with conversation records and permanent data loss.

A vulnerability in FreeScout prior to version 1.8.221 allows users with the PERM_EDIT_CONVERSATIONS permission to bypass mailbox membership checks when editing conversation threads. This issue arises because the authorization process only considers authorship and a global permission flag, neglecting current mailbox access. As a result, an agent who has been removed from a mailbox can still modify thread content in conversations they can no longer access.

A file upload restriction bypass vulnerability has been identified in Spatie Laravel Media Library versions prior to 11.23.0. The issue resides in the default file name sanitizer, which only checks the final file extension. This oversight allows double-extension files, such as 'shell.php.jpg', to circumvent the blocklist, as 'pathinfo()' retains the inner '.php' portion in the saved file name. Additionally, the blocklist fails to include certain executable extensions like '.php6', '.shtml', and '.htaccess'. While the double-extension bypass can be exploited to execute PHP files under a legacy Apache AddHandler configuration, the general blocklist oversight does not require such conditions.

A server-side request forgery (SSRF) vulnerability has been identified in Spatie Laravel Media Library versions prior to 11.23.0. This vulnerability allows remote attackers to manipulate the server into making arbitrary outbound HTTP requests. The issue arises from the addMediaFromUrl() method in InteractsWithMedia.php, which accepts user-controlled URLs without proper validation, exposing the application to potential attacks on internal resources or cloud metadata endpoints.

A vulnerability in the Formie Craft CMS plugin, affecting versions prior to 2.2.21 and 3.1.26, allows unauthenticated users to modify existing form submissions. This is achieved by sending a known or guessed submission ID to the 'formie/submissions/save-submission' endpoint. The issue arises from insufficient access controls, enabling unauthorized manipulation of submission data.

A vulnerability in FreeScout prior to version 1.8.220 allows for agent impersonation by exploiting a lack of HMAC verification in the email processing pipeline. The FetchEmails command has two paths for handling replies, but only the customer reply path includes proper HMAC validation. An external attacker who can spoof the From address of a helpdesk agent can inject messages that are processed as legitimate replies from that agent. These forged replies are then automatically forwarded to customers via the helpdesk's SMTP server, making the phishing attempt difficult to detect.

A vulnerability in the TIFF decoder of the Go programming language's image processing package allows for excessive resource consumption during the decompression of PackBits-compressed data. The issue arises because the decoder does not impose a limit on the size of the compressed data, enabling a small, maliciously-crafted image to cause the decoder to process large amounts of data. This vulnerability affects versions of the 'golang.org/x/image' package prior to v0.41.0.

A denial-of-service vulnerability has been identified in cpp-httplib versions prior to 0.44.0. When the server's trusted-proxy list is non-empty, an attacker can send an HTTP request with an X-Forwarded-For header that contains no valid IP segments. This leads to the execution of the get_client_ip() function, which calls front() on an empty std::vector, causing undefined behavior in C++. Typically, this results in an abnormal termination of the process. However, if Sanitizers are enabled, a runtime diagnostic is provided.

A denial-of-service vulnerability has been identified in the iskorotkov/avro Go library, specifically in versions prior to 2.33.0. The issue arises in the Avro array and map decoders, which improperly handle an attacker-controlled block-count value. This flaw allows a malicious producer to declare an excessively large block of elements, up to approximately 9.2 quintillion, followed by an end-of-file or truncated payload. The decoder then executes a corresponding number of no-operation iterations, effectively creating an infinite loop that consumes CPU resources until the process is terminated or killed externally. This vulnerability is remote and does not require authentication.

A denial-of-service vulnerability has been identified in the Iskorotkov Avro Go codec, specifically in versions prior to 2.33.0. The issue arises in several decoder paths that read 64-bit values from the Avro wire format. These values are either narrowed to platform-sized integers without proper bounds-checking or are manipulated using signed-integer arithmetic that is prone to overflow. On 32-bit platforms, such as GOARCH=386, arm, mips, and wasm, this truncation can silently bypass byte-slice limits, incorrectly select union branches, or trigger a panic in the OCF negative-make block reads. Additionally, there are three sub-issues that, while not exclusive to 32-bit platforms, contribute to the denial-of-service risk by causing panics or bypassing allocation caps on any platform.

A heap-based buffer overflow vulnerability has been identified in FreeRDP's planar bitmap decoder, prior to version 3.26.0. The issue arises when decoding RLE planar data, specifically in the 'libfreerdp/codec/planar.c' file. The function 'freerdp_bitmap_decompress_planar()'' improperly validates the X destination coordinate against the provided destination stride while writing to an internal temporary buffer. This flaw allows an attacker to manipulate the coordinates and stride, causing a write operation to exceed the buffer's allocated memory, leading to potential memory corruption.