CVE Catalog

A remote code execution vulnerability has been identified in OpenBullet2 versions through 0.3.2. This vulnerability allows authenticated users to execute arbitrary commands by uploading script files with extensions .bat, .ps1, or .sh through the FileProxySource proxy loading feature. Once uploaded as proxy sources, the server executes these scripts and returns the output as proxy lines, enabling command execution on the host as the process user.

A path traversal vulnerability has been identified in OpenBullet2 versions through 0.3.2, specifically within the wordlist endpoint. This vulnerability allows authenticated attackers to read, write, and delete arbitrary files by providing unsanitized absolute paths to the upload handler and wordlist functions. Exploitation of this vulnerability can lead to remote code execution by manipulating critical system files, such as /etc/passwd, since the application runs as root by default.

An authentication bypass vulnerability has been identified in OpenBullet2 versions through 0.3.2. This vulnerability resides in the API key authentication middleware, where unauthenticated attackers can gain admin access by sending an empty X-Api-Key header. The exploitation takes advantage of the middleware's comparison of the header value against a default empty AdminApiKey string, allowing access to the admin console and all API endpoints without valid credentials.

A denial-of-service vulnerability has been identified in 389 Directory Server versions 11, 12, 13, and in the 389-ds-base package of Red Hat Enterprise Linux 7, 8, and 9. The issue arises in the Content Synchronization persistent search plugin, where unbounded memory growth occurs when an authenticated client halts reading synchronization responses. This can lead to memory exhaustion and server crashes. Additionally, race conditions in the plugin's thread lifecycle may cause crashes during connection teardown or shutdown.

A stored cross-site scripting vulnerability has been identified in the imvks786 student management system, affecting versions up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The issue arises in the file add.php, where user input from fields such as name and address is directly inserted into an SQL query without proper sanitization. This allows for the injection of malicious scripts, which are executed when the data is viewed on various pages, including see.php and std_home/std_profile.php. The vulnerability can be exploited remotely, and the injected scripts run in the context of the user's browser, potentially leading to session hijacking and unauthorized access to user accounts.

A broken access control vulnerability has been identified in the imvks786 student_management_system, affecting versions prior to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The issue resides in the student deletion endpoint within the file see.php. The vulnerability allows users with only VIEW permissions to delete student records by manipulating the del parameter. This deletion occurs before the system verifies the user's authorization level, enabling unauthorized record removal. The vulnerability can be exploited remotely, and has been publicly disclosed.

A vulnerability allowing improper access control has been identified in the imvks786 student management system, in versions up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The issue resides in the Student Record Handler component, specifically within an unknown function of the file add.php. The vulnerability can be exploited remotely, and has been publicly disclosed. The application fails to enforce role-based access controls on server-side endpoints, allowing users with VIEW permissions to add and delete student records.

A SQL injection vulnerability has been identified in the imvks786 student management system, affecting versions prior to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The issue arises in the administrator login endpoint, specifically within the file admin/admin_login.php. The vulnerability allows remote attackers to inject malicious SQL payloads into the username and password fields, bypassing authentication and gaining administrative access.

A SQL injection vulnerability has been identified in the imvks786 student management system, affecting versions prior to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The vulnerability resides in the login component, specifically within the 'index.php' file. User input for the 'usr' and 'pwd' fields is directly concatenated into SQL queries without proper validation or escaping, allowing remote attackers to manipulate the queries. This exploitation can bypass authentication and lead to unauthorized data deletion, permission changes, and sensitive data exposure.

A vulnerability in Apache HTTP Server's mod_http2 module allows for denial-of-service attacks by exhausting memory resources. This issue arises from improper handling of HTTP/2 requests, where maliciously crafted headers can cause the server to allocate excessive memory, leading to crashes or degraded performance. The vulnerability affects Apache HTTP Server versions 2.4.17 prior to 2.4.67.

A CRLF injection vulnerability has been identified in the Wojtek Mach Req library, specifically in versions 0.5.3 prior to 0.6.0. This vulnerability allows for multipart parameter smuggling through attacker-controlled part metadata. The issue arises because the multipart form encoder directly interpolates the 'name', 'filename', and 'content_type' values into the headers without proper escaping or stripping of CRLF sequences. As a result, an attacker can inject additional headers, smuggle extra form fields, or prepend a new part into the outgoing request. This vulnerability is particularly exploitable when the 'value' parameter is a File.Stream, as POSIX filenames can contain CRLF characters. Applications that use Req to send multipart form data and allow user influence over these header values are at risk.

A denial-of-service vulnerability has been identified in the wojtekmach Req HTTP client for Elixir, versions 0.1.0 prior to 0.6.1. This vulnerability arises from improper handling of highly compressed data, allowing attacker-controlled HTTP servers to exhaust memory in a Req client. The issue is triggered by decompression-bomb response bodies, which expand significantly in size and can crash the BEAM process.

A use-after-free vulnerability has been identified in the Apache HTTP Server module mod_http2. This vulnerability occurs when file handles are exhausted, leading to memory corruption. It affects Apache HTTP Server versions 2.4.55 prior to 2.4.67.

A vulnerability exists in phpMyFAQ versions through 4.1.3, where attachment passwords are hashed using SHA-1, a cryptographically broken algorithm susceptible to collision attacks. This weak hashing provides no real protection, as the hashed passwords are not verified upon retrieval. The vulnerability has been addressed in version 4.1.4.

A vulnerability exists in Bludit CMS versions prior to 3.22.0, allowing deactivated user accounts to retain access through persistent authentication tokens. When an administrator disables a user, the application does not invalidate the associated tokenAuth and tokenRemember fields in the JSON database. As a result, users with a pre-existing 'Remember Me' cookie can bypass the deactivation and maintain an authenticated state. This issue has been patched in version 3.22.0.

A broken access control vulnerability has been identified in Bludit CMS versions prior to 3.22.0. This flaw allows active sessions to remain valid even after the associated user account has been deleted from the database. As a result, revoked users can retain unauthorized access to the system. The vulnerability arises because the application does not re-validate the status of a user account for each request, allowing deleted users to continue performing actions as if they were still active.

A mass assignment vulnerability has been identified in Flowise, a user interface for building customized large language model flows. This issue, present in versions through 3.1.1, allows for cross-workspace evaluator takeover by improperly handling workspace-related data during evaluator creation and updates. The vulnerability arises because the Evaluator controller does not validate which fields can be overwritten with client-controlled data, enabling authenticated users to manipulate evaluator ownership and access across workspaces.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, specifically within the evaluations management feature. This issue allows an authenticated user to manipulate evaluation data across different workspaces, potentially leading to unauthorized access and modification of evaluation records. The vulnerability arises because the evaluation controller does not properly validate which fields can be updated, allowing client-controlled data to overwrite critical workspace-specific information. As a result, evaluations can be transferred between workspaces, disrupting data integrity and privacy.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, allowing cross-workspace row takeover in the DatasetRow entity. The issue arises because the DatasetRow controller mass-assigns client-controlled data, including workspace IDs, without proper validation. This flaw enables authenticated users to manipulate dataset rows across different workspaces, violating data isolation and potentially exposing sensitive information.

A mass assignment vulnerability has been identified in Flowise, a user interface for building customized large language model flows. This issue, present in versions prior to 3.1.2, allows for cross-workspace dataset takeover by exploiting the dataset creation and update processes. The vulnerability arises because the Dataset controller does not properly validate which fields can be overwritten, enabling authenticated users to manipulate dataset ownership and access through the workspaceId field.

A vulnerability in Flowise prior to version 3.1.2 allows for cross-workspace template takeover through mass assignment in the CustomTemplate creation and update processes. The issue arises because the application does not properly validate which fields can be overwritten, allowing authenticated users to manipulate workspace-specific data and disrupt workspace isolation. This flaw can be exploited by any user with permission to edit custom templates, potentially leading to unauthorized access and modification rights in another workspace.

A mass assignment vulnerability has been identified in Flowise, a user interface for building customized large language model flows. This issue, present in versions through 3.1.1, allows for cross-workspace assistant takeover by improperly handling workspace IDs during the creation and updating of assistant entities. The vulnerability arises because the application does not validate which fields can be overwritten, enabling authenticated users to manipulate assistant ownership and access across workspaces.

A vulnerability exists in Flowise versions prior to 3.1.2, where all CRUD endpoints for the OpenAI Assistants Vector Store lack authentication middleware. The route '/api/v1/openai-assistants-vector-store' is not included in WHITELIST_URLS and, although it requires API key authentication, it does not enforce any permission checks. This oversight allows any authenticated user to create, modify, delete vector stores, and upload or exfiltrate files, regardless of their assigned permissions.

A vulnerability in Flowise prior to version 3.1.2 allows authenticated users to access unredacted encrypted credential data, such as API keys and tokens, when using the 'credentialName' filter parameter. This data leak occurs because the 'encryptedData' field is not properly omitted from the response when the filter is applied, despite the code correctly excluding it when no filter is used. The issue has been patched in version 3.1.2.

A remote code execution vulnerability has been identified in Flowise, a user interface for building large language model flows. This issue affects versions through 3.1.1. The vulnerability arises because the POST /api/v1/node-custom-function endpoint lacks proper authorization, allowing any authenticated user or API key to send arbitrary JavaScript to the Custom JS Function node. In typical deployments where E2B_APIKEY is not set, Flowise runs this code in a NodeVM sandbox, which can be escaped. This escape route enables access to the host process object, facilitating the execution of system commands through the child_process module. Consequently, this flaw results in authenticated remote code execution on the server hosting Flowise.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, specifically within the assistant update endpoint. This vulnerability allows authenticated users to modify server-controlled properties, such as workspaceId, createdDate, and updatedDate, when updating an assistant resource. The issue arises from a lack of proper server-side validation and authorization checks, enabling attackers to manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This flaw disrupts tenant isolation in multi-workspace environments.

A vulnerability in Flowise's checkBasicAuth endpoint prior to version 3.1.2 allows for plaintext credential validation without rate limiting, using direct comparison. This lack of rate limiting enables brute-force attacks on the authentication system. The endpoint returns distinct messages for successful and failed authentication attempts, facilitating credential enumeration. The vulnerability has been patched in version 3.1.2.

A vulnerability in the Bluetooth hci_uart component of the Linux kernel has been addressed, which involved a Use-After-Free (UAF) issue and race conditions during the initialization and closing processes. The vulnerability arose because workqueues were not properly managed, leading to the potential for freed structures to be accessed incorrectly. This issue was particularly problematic if a hangup occurred before the setup was complete, allowing scheduled work to disrupt the lifecycle management of the component.

A vulnerability in the Linux kernel's I/O workqueue management can lead to a use-after-free condition. The issue arises in the 'io-wq' component, where the 'io_wq_remove_pending()' function fails to properly verify if a work item predecessor is hashed before updating the workqueue's hash tail. This oversight allows a pointer to a non-hashed I/O control block to be incorrectly stored, creating a dangling pointer once the work item is completed and freed. The flaw persists for the duration of the task, potentially leading to memory corruption when the freed memory is overwritten.

A buffer underwrite vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67. This vulnerability arises in the core server when handling regular expressions in the configuration, allowing for potential memory manipulation.

An infinite loop vulnerability has been identified in the mod_proxy_ftp module of Apache HTTP Server. This issue occurs when the server is connected to an attacker-controlled backend FTP server, causing the server to enter a loop with no reachable exit condition. This vulnerability affects Apache HTTP Server versions 2.4.0 through 2.4.67.

A buffer over-read vulnerability has been identified in Apache HTTP Server in versions 2.4.0 prior to 2.4.67. This vulnerability occurs in the mod_ssl component when the server makes outbound OCSP requests to an attacker-controlled OCSP server. The flaw can be exploited to read memory beyond the intended bounds, potentially leading to information disclosure or a crash of the server process.

A vulnerability in Apache HTTP Server in versions through 2.4.67 allows local authors of .htaccess files to read files with the privileges of the httpd user. This issue arises from improper privilege management, enabling unauthorized access to certain files.

An out-of-bounds read vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67. This vulnerability occurs in the 'merge_response_headers' function, where improper handling of multiple response languages can lead to memory access violations. The issue is present when both mod_headers and mod_mime are enabled, and can cause the server to crash.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, specifically within the chatflow update endpoint. This vulnerability allows authenticated users to manipulate server-controlled properties, such as deployment status, visibility, and workspace assignment, without proper validation or authorization. As a result, users can unauthorizedly modify chatflow attributes and reassign them to different workspaces, disrupting workflow management and tenant isolation.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2. The issue resides in the tool update endpoint, where authenticated users can modify server-controlled properties such as workspaceId, createdDate, and updatedDate. The vulnerability arises from inadequate server-side validation and authorization checks, enabling attackers to manipulate the workspaceId and reassign tools to arbitrary workspaces, thereby disrupting tenant isolation in multi-workspace environments.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2. The issue resides in the variable update endpoint, which allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate. The vulnerability arises from inadequate server-side validation and authorization checks, enabling attackers to manipulate the workspaceId and reassign variables to arbitrary workspaces. This could disrupt tenant isolation in multi-workspace environments.

A heap-based buffer overflow vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67, specifically in the mod_xml2enc module. The vulnerability arises in the xml2StartParse function when handling untrusted content, potentially leading to memory corruption.

A path handling vulnerability has been identified in the mod_dav_fs module of Apache HTTP Server versions through 2.4.67. This vulnerability allows WebDAV content authors to directly manipulate trusted DAV property databases, which could lead to crashes in child processes. The issue arises from improper handling of paths, enabling potential disruption of server processes.

A stack-based buffer overflow vulnerability has been identified in the Tenda FH451 router, specifically in version 1.0.0.9. The issue arises in the 'fromDhcpListClient' function, which is part of the device's CGI handler. This vulnerability allows attackers to cause a denial-of-service condition by sending a crafted HTTP request that exploits the 'list1' parameter. The overflow occurs because the parameter is not properly validated before being copied into a buffer, leading to a process crash or instability on the device.

A heap-based buffer overflow vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67. This vulnerability arises when the server is configured with malicious backend servers and uses the ProxyPassReverseCookie directive. The flaw allows an attacker to exploit the buffer overflow, potentially leading to arbitrary code execution or causing the server to crash.

A buffer overflow vulnerability has been identified in the mod_proxy_html module of Apache HTTP Server. This issue affects versions 2.4.67 and earlier, allowing an untrusted backend to execute an attack. The vulnerability can be exploited by sending crafted responses that manipulate memory, potentially leading to arbitrary code execution or causing the server to crash.

A use-after-free vulnerability has been identified in the Imagination Technologies GPU Driver Development Kit (DDK) releases starting from 24.2 RTM2 up to and including 26.1 RTM1. This vulnerability allows software running as a non-privileged user to make improper GPU system calls, leading to mismanagement of memory mappings for sparse allocations. The issue arises because mathematical operations are incorrectly scaled across buffers of varying sizes, causing the product to reference incorrect memory.

A cross-site scripting vulnerability has been identified in the mod_proxy_ftp module of Apache HTTP Server. This issue is present in versions through 2.4.67 and occurs during the generation of HTML directory listings when FTP directory contents are accessed via forward or reverse proxy configurations. The vulnerability allows for the injection of malicious scripts that could be executed in the context of the user's browser.

A use-after-free vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67, specifically within the mod_ldap module when used in per-directory configurations. This vulnerability can lead to memory corruption and potentially allow for arbitrary code execution.

A vulnerability exists in the Imagination Technologies GPU driver development kit (DDK) that allows software running as a non-privileged user to make improper GPU system calls. These calls can corrupt kernel heap memory by mismanaging resource reference counting, creating a write use-after-free scenario. Under certain conditions, this exploitation can lead to unauthorized writes in the kernel memory, potentially altering the behavior of the operating system or other drivers.

A SQL injection vulnerability has been identified in the Designcomputer Mysql-Mcp-Server application, specifically in versions prior to 0.2.2. The issue arises in the Mysql URI Handler component, within the read_resource function of the server.py file. The vulnerability allows remote exploitation by manipulating the uri_str argument, leading to unauthorized SQL code execution. This injection occurs because the table name parameter is not properly sanitized before being interpolated into SQL queries, enabling attackers to inject malicious payloads that are executed with the full privileges of the MySQL user, which is typically the root user.

A stack-based buffer overflow vulnerability has been identified in the Tenda AC18 router, specifically in the web management interface of version 15.03.05.05. The vulnerability arises in the function sub_45304 within the '/goform/getRebootStatus' endpoint, where the 'callback' parameter is processed. The lack of input length validation allows an attacker to send an overly long string, leading to a buffer overflow that can overwrite the return address, potentially causing a crash of the web service or allowing remote code execution.

A stack-based buffer overflow vulnerability has been identified in the Tenda W20E router, specifically in version 15.11.0.6. The issue resides in the web management interface, within the 'modifyWifiFilterRules' function of the '/goform/modifyWifiFilterRules' endpoint. The vulnerability is triggered by sending an overly long string in the 'wifiFilterListRemark' parameter. This exploitation can be initiated remotely, and while it may cause a denial-of-service by crashing the web service, it could also lead to remote code execution.

A stack-based buffer overflow vulnerability has been identified in the Tenda W20E enterprise router, specifically in version 15.11.0.6. The issue arises in the web management interface within the 'formPortalAuth' function of the '/goform/PortalAuth' endpoint. The vulnerability can be exploited remotely by sending an overly long string in the 'gotoUrl' parameter, leading to a buffer overflow that overwrites the return address and potentially allows for remote code execution with root privileges.