CVE Catalog

A sandbox escape vulnerability has been identified in Logseq, specifically in version 0.10.15 and prior. This flaw allows plugins running in sandboxed iframes to inject arbitrary HTML attributes, including event handlers, into their container elements within the host DOM. The absence of a Content Security Policy (CSP) enables malicious plugins to execute arbitrary JavaScript in the privileged host context, potentially accessing filesystem APIs without authorization.

A stored cross-site scripting vulnerability has been identified in Logseq, affecting all versions through 0.10.15. This issue allows a malicious plugin to inject a JavaScript payload into the 'name' field of its 'package.json' file. The injected script is then rendered using 'innerHTML' without adequate sanitization, enabling the execution of arbitrary code in the privileged context of the host application.

A buffer overflow vulnerability has been addressed in the Linux kernel's Greybus gb-Beagleplay component. The issue arises in the cc1352_bootloader_rx() function, which improperly handles incoming data chunks from the serdev interface. The function appends each chunk to a fixed receive buffer without adequately checking if the incoming data fits within the available space. This oversight can lead to buffer overflow by allowing leftover bytes from previous callbacks to be combined with new data, exceeding the buffer's capacity. The vulnerability affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's TCP User Layer Protocol (ULP) support for Socket Memory Control (SMC) has been addressed. The issue arose because the implementation improperly modified active TCP socket structures in place, violating core Virtual File System (VFS) invariants. This created a risk of use-after-free errors and general system instability. The vulnerability affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation has been addressed. The issue involved improper handling of file-backed mounts at the end of the filesystem. I/O requests extending beyond the filesystem's limits were not being zeroed out as expected, similar to the behavior of loopback devices. This vulnerability could potentially lead to unintended data exposure or corruption.

A vulnerability exists in the Linux kernel's AppArmor module regarding the management of resource limits (rlimits) for POSIX CPU timers. The issue arises because POSIX CPU timers require an additional step beyond merely setting the rlimit. The code needs to be refactored to clarify when the limits are being set and to conditionally update the POSIX CPU timers as necessary. This vulnerability affects several versions of the Linux kernel.

A vulnerability exists in the Linux kernel's device mapper (DM) component, specifically within the zone reporting function. The issue arises because the function 'dm_blk_report_zones' checks if a device is suspended using the 'dm_suspended_md' call, but does so without holding any locks. This oversight allows the device to be suspended immediately after the check is performed. The vulnerability affects the Linux kernel stable tree.

A vulnerability exists in the Linux kernel's IIO pressure driver for the MPRLS0025PA sensor. The issue arises because the SPI transfer structure is not properly initialized before use, which could lead to undefined behavior. This vulnerability affects the stable version of the Linux kernel.

A vulnerability in the Linux kernel's RDMA/rxe implementation affects memory regions (MRs) with page sizes different from the system default. The issue arises because the function rxe_set_page() increments by the MR's page size, while the page_list maintains individual page pointers, each representing a standard page size. This discrepancy leads to incorrect input/output virtual address conversions, particularly when the MR page size is smaller or larger than the system page size. The vulnerability can cause mismanagement of memory access, potentially leading to application crashes or undefined behavior.

A stack buffer overflow vulnerability has been identified in 389 Directory Server. The issue arises in the checkPrefix() function within pw.c, where an attacker-controlled algorithm ID is copied into a 256-byte stack buffer without proper bounds checking. This vulnerability occurs when the server parses reversible-encrypted attribute values. An attacker with Directory Manager privileges can exploit this flaw by storing a crafted credential that includes an oversized algorithm ID, leading to a crash of the LDAP server. While the FORTIFY_SOURCE feature mitigates the vulnerability to a denial-of-service condition, it does not eliminate the risk entirely.

A heap buffer overflow vulnerability has been identified in 389 Directory Server. This issue arises in the audit logging feature, specifically within the create_masked_entry_string() function in auditlog.c. The vulnerability occurs because the function copies a fixed-length password mask into a heap buffer that is precisely sized, without verifying the available space. If a short cleartext password is logged—an occurrence that requires non-default CLEAR password storage or a compromised replication peer—the buffer overflow can corrupt heap memory and disrupt the audit log output.

A denial-of-service vulnerability has been identified in 389 Directory Server versions 1.3.6 and later. The issue arises in the PBKDF2-SHA256 password storage plugin, which fails to impose a limit on the iteration count derived from stored password hashes. This flaw allows a privileged attacker with Directory Manager rights to inject a crafted PBKDF2 hash with an extremely high iteration count. When the modified hash is used during authentication, it can lead to excessive CPU usage, causing worker threads to hang for hours and disrupting service for legitimate users.

A vulnerability exists in the 389 Directory Server's SMD5 password storage plugin. It involves an unsigned integer underflow when calculating the salt length from a crafted password hash shorter than 16 bytes. This flaw causes a buffer over-read, which crashes the LDAP server during authentication. The issue has been present since the creation of the SMD5 plugin around 2005.

A NULL pointer dereference vulnerability has been identified in the dereference control plugin of 389 Directory Server. This issue arises because the plugin does not properly check for memory allocation failures before using a Basic Encoding Rules (BER) structure. As a result, an unauthenticated remote attacker can exploit this flaw to crash the LDAP server, particularly under conditions of memory pressure.

A heap buffer over-read vulnerability has been identified in 389 Directory Server. The issue arises in the ldap_utf8prev() function, which reads bytes before the start of a buffer without proper bounds checking. This flaw can lead to a heap over-read during string filter parsing, potentially affecting internal filter processing. The vulnerability exists in all versions of the 389 Directory Server component on Red Hat Enterprise Linux 10, 7, 8, and 9, as well as in Red Hat Directory Server versions 11, 12, and 13.

A heap out-of-bounds read vulnerability has been identified in 389 Directory Server. This issue arises in the LDIF parser function 'str2entry_state_information_from_type()' when the parser processes attribute types with trailing semicolons during database import. The flaw allows the parser to read past the end of a heap buffer, creating an out-of-bounds read that can be detected with memory instrumentation. The vulnerability requires local administrator access to exploit, and while it has been confirmed on instrumented builds, it does not cause a crash in production binaries due to allocator padding.

A type confusion vulnerability has been identified in the 389 Directory Server's SSO token extended operation handler. This flaw allows partial stack address information to be leaked in LDAP responses to authenticated users. The issue arises because the handler improperly passes a stack pointer to a formatting function that expects an integer, creating a mismatch that can be exploited to extract sensitive information.

A vulnerability in the Linux kernel's netfilter component, specifically within the nf_tables subsystem, has been addressed. The issue arose because the functions nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks did not properly remove netlink hooks from their lists using the appropriate RCU-safe function. This oversight could lead to inconsistencies when the list was accessed by concurrent processes. The vulnerability has been resolved by introducing a new helper function that correctly removes the hooks and can be safely used in a concurrent context.

A vulnerability in the Linux kernel's Generic Receive Offload (GRO) handling can lead to a use-after-free condition. The issue arises because the GRO function can merge packet fragments from zero-copy sockets without properly managing the reference counts of the underlying memory pages. This flaw is present in the stable Linux kernel and affects several versions. When the last packet in the GRO chain or the source packet is zero-copy, the packets should not be merged. The vulnerability has been addressed by modifying the GRO function to check the zero-copy status before merging packets.

A memory leak vulnerability has been identified in the Linux kernel's tun driver, specifically within the 'tun_xdp_one' function. This issue arises when the 'build_skb' function fails, as the error handling does not properly free a page allocated for the frame, leading to a leak of one page-frag chunk for each failure in a batch. The vulnerability affects the Linux kernel stable tree.

A memory leak vulnerability has been identified in the Linux kernel's TUN/TAP networking driver, specifically within the 'tun_xdp_one()' function. This issue arises when the function processes frames shorter than the Ethernet header length. In such cases, 'tun_xdp_one()' returns an error code without releasing the memory page allocated by 'vhost_net_build_xdp()'. The 'tun_sendmsg()' function ignores this error and continues to report the total length, leading the 'vhost_tx_batch()' function to assume success and neglect memory cleanup. As a result, each short frame in a transmission batch causes a memory leak, with a tight submission loop potentially exhausting system memory and causing an out-of-memory panic. This vulnerability can be exploited by a local process with access to '/dev/net/tun' and '/dev/vhost-net', by attaching a TUN/TAP device as the vhost-net backend and sending transmission descriptors with lengths below the Ethernet header requirement.

A memory leak vulnerability has been identified in the Linux kernel tap driver, specifically in the handling of XDP (eXpress Data Path) frames. The issue arises in the 'tap_get_user_xdp()' function, which fails to free a page allocated for a frame by 'vhost_net_build_xdp()' when an error occurs. This oversight leads to a leak of one page-frag chunk for each rejected frame in a batch. The vulnerability has been addressed by modifying the error handling to free the allocated page before exiting the function.

A use-after-free vulnerability has been identified in the Linux kernel's flow table management within the 'act_ct' module of the traffic control subsystem. This issue arises because the function 'tcf_ct_flow_table_get()' improperly manages reference counts while accessing flow table objects. Specifically, it releases a Read-Copy Update (RCU) lock before ensuring that a reference to the flow table object is safely incremented. As a result, the flow table object can be freed while still in use, leading to a use-after-free condition. Exploitation of this vulnerability can result in unauthorized privilege escalation.

A vulnerability in the Linux kernel's handling of HugeTLB (large page) memory management has been addressed. The issue arose from a patch that modified how HugeTLB file mappings were prepared for memory mapping operations. This change inadvertently disrupted the allocation of locks needed for managing HugeTLB virtual memory areas (VMAs). When the allocation process failed after the VMA was prepared, it could lead to a lock being improperly released, creating a potential synchronization issue. Although this vulnerability could cause a lock to leak, it is not expected to result in a similar problem during a merge, as HugeTLB mappings are configured to prevent expansion conflicts. The vulnerability has been resolved by reverting the problematic patch and restoring the previous VMA lock allocation process, ensuring that locks are correctly managed without introducing conflicts.

A vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) module for arm64 architecture, specifically in the management of nested memory management unit (MMU) structures. The issue arises because the nested MMU array is accessed under the MMU lock, including during MMU notifier operations, which can occur unpredictably. When the KVM virtual CPU initialization function reallocates the nested MMU array, it frees the old buffer while only holding a different lock, potentially allowing other processes to reference the now-freed memory. This vulnerability could lead to use-after-free errors. The problem has been addressed by changing the allocation process to occur outside of the MMU lock, allowing the reallocation to be safely managed without risking memory corruption.

A vulnerability in the Linux kernel's KVM for arm64 architecture has been addressed. The issue arose in the Virtual Generic Interrupt Controller (VGIC) Interrupt Translation Service (ITS) handling. The function responsible for invalidating the translation cache improperly managed reference counts, leading to a potential use-after-free scenario. This flaw allowed the same cache entry to be erased and its reference dropped multiple times concurrently, creating a risk of accessing freed memory while still mapped by an Interrupt Translation Entry (ITE).

A local privilege escalation vulnerability has been identified in X-VPN for macOS website versions 77.0 through 77.5. This vulnerability allows a local attacker to exploit a race condition and symbolic link manipulation, leading to unauthorized changes to privileged files. The issue arises in the application's Download Protection feature, which, under certain conditions, can be manipulated to redirect administrative operations to unintended files.

A vulnerability in Pretix allows for unauthorized access to gift card secrets during media export. This issue arises when the export feature includes full gift card secrets, contrary to the UI and API, which only display the initial letters of the secrets. The vulnerability affects users who can access reusable media but lack permission to view gift cards, creating a permission bypass. All supported Pretix versions from 2024.1.0 to 2026.5.0, except the fixed versions, are vulnerable.

A PHP code injection vulnerability has been identified in the WordPress Woody Code Snippets plugin, specifically in versions prior to 3.3.1. This vulnerability allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Exploitation involves sending POST requests to the wp-json/wp/v2/posts endpoint with content that includes insert_php shortcodes, which can be used to include and execute remote PHP files on the server.

A path traversal vulnerability has been identified in WordPress Plugin Mac Photo Gallery version 3.0. This vulnerability allows unauthenticated attackers to download arbitrary files by manipulating the 'albid' parameter. By sending requests to 'macdownload.php' with directory traversal sequences, attackers can access sensitive files, such as 'wp-load.php', outside the designated plugin directory.

A SQL injection vulnerability has been identified in the Apptha Slider Gallery WordPress plugin, version 1.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the 'albid' parameter. Exploitation of this vulnerability could lead to the extraction of sensitive database information, including user credentials and authentication hashes.

A path traversal vulnerability has been identified in the Apptha Slider Gallery WordPress plugin, version 1.0. This vulnerability allows unauthenticated attackers to download arbitrary files by manipulating the 'imgname' parameter. Exploitation involves sending requests to 'asgallDownload.php' with directory traversal sequences to access sensitive files outside the intended directory.

A SQL injection vulnerability has been identified in the WordPress Plugin PICA Photo Gallery version 1.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the aid parameter. Exploitation of this vulnerability could lead to the extraction of sensitive database information, including user credentials and table contents.

A SQL injection vulnerability has been identified in the KittyCatfish WordPress plugin, version 2.2. This vulnerability allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Attackers can inject SQL code through the 'kc_ad' parameter in either 'base.css.php' or 'kittycatfish.php'. The exploitation can be carried out using boolean-based blind or time-based blind techniques to extract sensitive database information.

A SQL injection vulnerability has been identified in the Wow Viral Signups WordPress plugin, specifically in version 2.1. This vulnerability allows unauthenticated attackers to exploit the unescaped 'idsignup' POST parameter, sending crafted requests to the admin-ajax.php endpoint. By doing so, attackers can inject malicious SQL payloads to extract arbitrary data from the database.

A SQL injection vulnerability has been identified in the Wow Forms WordPress plugin, version 2.1. This vulnerability allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Attackers can inject SQL code through the 'mwpformid' parameter in requests to the admin-ajax.php endpoint, using the 'send_mwp_form' action, to extract sensitive database contents.

A time-based SQL injection vulnerability has been identified in the WordPress Car Park Booking Plugin, specifically in version 13 October 17. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Exploitation involves sending GET requests to the booking-page endpoint with malicious space_id values that include AND SLEEP() payloads, enabling attackers to extract sensitive information from the database.

A SQL injection vulnerability has been identified in the Product Catalog 8 plugin for WordPress, specifically in version 1.2.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the selectedCategory parameter. Exploitation involves sending POST requests to the admin-ajax.php endpoint with the UpdateCategoryList action, which can be used to extract sensitive information from WordPress database tables.

A local file inclusion vulnerability has been identified in the WP Vault WordPress plugin, specifically in version 0.8.6.6. This vulnerability allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attackers can use directory traversal sequences in the wpv-image GET parameter to access sensitive files, such as system configuration and credentials.

A SQL injection vulnerability has been identified in the WordPress plugin 'Single Personal Message' version 1.0.3. This vulnerability allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Exploitation of this vulnerability could lead to unauthorized access to sensitive database information, including user credentials and site configuration data.

A SQL injection vulnerability has been identified in the Simply Poll WordPress plugin, specifically in version 1.4.1. This vulnerability allows unauthenticated attackers to inject SQL code through the 'pollid' POST parameter, enabling them to execute arbitrary SQL queries and extract sensitive data from the WordPress database. The exploitation involves sending requests to the admin-ajax.php endpoint with the 'spAjaxResults' action and malicious 'pollid' values.

A broken access control vulnerability has been identified in the TYPO3 CMS Media Module, affecting versions 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2. This vulnerability allows backend users with file download permissions to access and download sensitive files, such as log files, from the fallback storage of the file abstraction layer (FAL). The issue arises because the fallback storage paths are resolved relative to the server's document root, potentially exposing confidential information.

A vulnerability in the TYPO3 CMS Form Framework (ext:form) allows backend users with write access to the form_definition database table to bypass persistence validation and permission checks. This is achieved by directly manipulating form definition records through the DataHandler. The exploitation of this vulnerability enables the injection of arbitrary form configurations, potentially reintroducing previously addressed attack vectors, such as SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0 prior to 14.3.3.

A vulnerability exists in TYPO3 CMS's core API, specifically within the cache frontend 'VariableFrontend' and the 'Registry' key-value store. These components deserialized PHP payloads without proper integrity checks or class restrictions. An attacker with write access to the relevant storage backend—either the cache store or the 'sys_registry' database table—could inject a malicious serialized payload. This could lead to PHP Object Injection, potentially allowing the execution of arbitrary code or causing other significant impacts. The vulnerability requires direct local write access to the storage, such as the SQL database or file system. It affects TYPO3 CMS versions 10.0.0 prior to 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2.

A broken access control vulnerability has been identified in TYPO3 CMS within the GeneralUtility component. The issue arises from the path validation method 'isAllowedAbsPath()', which performed a simple string prefix check without enforcing a directory separator boundary. This flaw allowed paths like '/var/www/html-other/secret.yaml' to be mistakenly recognized as valid when the project root was set to '/var/www/html'. As a result, administrators with access to the File Abstraction Layer could create file storage definitions pointing to directories outside the project root, effectively bypassing the intended path restrictions. This vulnerability affects TYPO3 CMS versions prior to 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

A broken access control vulnerability has been identified in TYPO3 CMS Backend API. Authenticated backend users could access file metadata through various API routes without proper permission checks. This flaw allowed users to retrieve files outside their authorized file mounts or storage areas. The vulnerability affects TYPO3 CMS versions prior to 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2.

A broken access control vulnerability has been identified in the TYPO3 CMS clipboard functionality, allowing backend users to insert arbitrary records and files without proper read permission checks. This issue enables users to access information about records and files they are not authorized to view. The vulnerability affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2.

A broken access control vulnerability has been identified in the DataHandler component of TYPO3 CMS. This issue allows backend users to move records to a different page without having the necessary edit permissions on the source page. The vulnerability affects TYPO3 CMS versions 13.0.0 prior to 13.4.31 and 14.0.0 prior to 14.3.3.

A broken access control vulnerability has been identified in the TYPO3 CMS Recycler module. It allows backend users to restore soft-deleted records from pages or tables they do not have permission to modify. This issue affects TYPO3 CMS versions 10.0.0 prior to 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2.

A cross-site scripting vulnerability has been identified in TYPO3 CMS versions 13.0.0 prior to 13.4.31 and 14.0.0 prior to 14.3.2. Editors with the ability to create or modify page content could include unfiltered HTML in page titles. These titles were then stored in the search index and, when displayed in the frontend search results through the Indexed Search plugin, were rendered without proper output encoding. This lack of sanitization allowed for the injection of malicious scripts.