CVE Catalog

A vulnerability allowing open redirection has been identified in TYPO3 CMS. This issue arises in applications that utilize the GeneralUtility::sanitizeLocalUrl function to restrict URLs to local ones. If a URL is processed by this function and then used, it can lead to an open redirect, allowing attackers to send users to external sites and potentially conduct phishing attacks. The vulnerability affects TYPO3 CMS versions 10.0.0 prior to 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2.

A vulnerability exists in the TYPO3 CMS Form Framework (ext:form) that allows backend users with file write permissions to upload form definition files with mixed-case extensions, such as .FORM.YAML. This upload bypasses the Form Framework's standard restrictions. Once uploaded, these maliciously crafted form definition files can execute arbitrary SQL statements. This capability could be exploited to escalate privileges by creating administrative backend user accounts. The vulnerability affects TYPO3 CMS versions prior to 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2.

A broken access control vulnerability has been identified in the File Abstraction Layer of TYPO3 CMS. Non-privileged backend users with file mount access could perform destructive write operations, such as moving, deleting, or renaming folders that represent the root of an active file mount. This issue arises from inadequate authorization restrictions and affects TYPO3 CMS versions prior to 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2.

A broken access control vulnerability has been identified in the TYPO3 CMS Form Framework (ext:form). Backend users with access to this framework could exploit the vulnerability by using files that do not end with the required .form.yaml extension as form definitions. The system processed these files without rejecting the incorrect extension. Maliciously crafted form definition files could execute arbitrary SQL statements, enabling attackers to escalate privileges by creating administrative backend user accounts. This vulnerability affects TYPO3 CMS versions prior to 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2.

A path traversal vulnerability exists in awxkit, the command-line interface (CLI) tool for AWX. The issue arises because the YAML !include directive does not properly sanitize file paths. This flaw allows an attacker to create a malicious YAML file that can read arbitrary YAML-formatted files from the local filesystem. The vulnerability is triggered when a user imports the crafted YAML file using the 'awx --conf.format yaml import' command. This is a client-side vulnerability that requires user interaction.

A vulnerability exists in the User Frontend WordPress plugin, specifically in the AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration version 4.3.2 and earlier. The issue arises from a lack of proper capability checks in the user_subscription_cancel() function, allowing authenticated users with Subscriber-level access and above to cancel any user's subscription pack, including those of administrators.

A vulnerability exists in Siemens SINEC INS versions prior to V1.0 SP2 Update 6, due to a password hashing method that employs a static, hardcoded salt shared among all users and installations, combined with an inadequate number of iterations. This flaw could enable an attacker to efficiently recover user passwords through brute-force or precomputed attacks, potentially leading to unauthorized access.

A vulnerability exists in Siemens SINEC INS versions prior to V1.0 SP2 Update 6, where a binary is equipped with the cap_dac_override capability. This capability enables the process to circumvent file system permission checks, leading to unrestricted access to the file system. Consequently, a local attacker could exploit this to escalate privileges, allowing arbitrary file modifications and potentially gaining root access on the system.

A path traversal vulnerability has been identified in Siemens SINEC INS, all versions prior to V1.0 SP2 Update 6. The issue arises in the 'GET /api/sftp/uploadFiles' endpoint, which is used for directory listing. The application fails to properly sanitize path input, allowing crafted input to traverse directories and access unintended file system locations.

A command injection vulnerability has been identified in Siemens SINEC INS versions prior to V1.0 SP2 Update 6. The issue arises in the SFTP file upload API endpoint, where user input is not properly sanitized. This lack of input validation allows authenticated remote attackers to inject shell command payloads through manipulated directory names. These injected commands are stored and executed when directory listings are accessed, potentially leading to arbitrary command execution on the underlying operating system with the privileges of the affected service user.

A stored cross-site scripting vulnerability has been identified in Vinna Process Monitor versions 4.0.0 through 4.0.6 and 3.1.0 through 3.1.4. This vulnerability allows authenticated remote attackers with low privileges to inject malicious JavaScript into the application. When an administrative user accesses a document containing the injected script, the JavaScript executes and steals administrative access tokens and session credentials.

A vulnerability exists in all versions of SIMATIC WinCC Unified PC Runtime from V16 to V21 (excluding V21 Update 2), due to inadequate protection of key material in the WinCC Certificate Manager. This flaw could enable an attacker to extract sensitive information.

A SQL injection vulnerability has been identified in Nemon Trade Energy and Nemon Trade Energy CRM, both in version 2.95.55. The issue arises in the 'two_steps_auth_code' parameter, which is processed by the 'twoStepsAuthVerification' function within the '/user-login' endpoint. This vulnerability allows unauthenticated attackers to access the two-factor authentication (2FA) functionality and execute arbitrary SQL queries on the backend database. Exploitation of this vulnerability could lead to database enumeration, unauthorized creation of privileged users, modification or deletion of critical information, and denial-of-service conditions.

A vulnerability exists in various Siemens SIPROTEC 5 device models, all versions, allowing authenticated users to upload arbitrary files through the DIGSI 5 protocol. This could enable the upload of malicious configuration files, potentially causing a denial-of-service condition and leading to unauthorized code execution.

A vulnerability exists in certain Arm-based CPUs, including the Arm C1-Ultra, C1-Premium, various Neoverse models, and multiple Cortex-A and Cortex-X series processors. This vulnerability may permit unauthorized writes to resources managed by a higher exception level, potentially leading to privilege escalation.

A stored cross-site scripting vulnerability has been identified in the Prime Elementor Addons WordPress plugin, specifically in versions up to and including 1.3.3. The issue arises from inadequate input sanitization and output escaping in the Widget HTML Tag Settings. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. The injected scripts are executed when a user accesses the affected page. Notably, the exploitation does not require the unfiltered_html capability, as the payload can be crafted to bypass Elementor's wp_kses_post() filter by omitting HTML angle brackets.

A vulnerability exists in the Blocksy theme for WordPress, specifically in versions through 2.1.35, allowing PHP object injection that could lead to remote code execution. This issue arises from inadequate input sanitization in the 'blocksy_post_meta_options' REST API field. The 'blocksy_sanitize_post_meta_options' function only filters out values containing '<' or '>', failing to prevent serialized PHP object strings from being saved in post metadata. During the V200 database migration, the 'SearchReplacer::run_recursively' function automatically deserializes all string values without class restrictions, enabling authenticated attackers with contributor-level access or higher to inject a serialized 'Blocksy\RaiiPattern' object into the post meta. When the V200 migration is executed on an updated site, this object is deserialized, and its destructor is triggered, executing arbitrary PHP functions via 'call_user_func'.

A vulnerability allowing sensitive information disclosure exists in the Slider Revolution plugin for WordPress, affecting versions through 7.0.10. This issue arises from three main design flaws: first, the plugin unintentionally exposes a valid backend AJAX nonce (revslider_actions) to all authenticated users, including Subscribers, through the admin_footer hook. Second, the wordpress.create.image_from_url action is improperly allowlisted for general use, bypassing necessary administrator-only restrictions. Third, the create_wordpress_image_from_url() function can be exploited by sending an attacker-controlled URL, which is then processed by import_media(). The vulnerability allows paths or URLs to be read from the local filesystem and copied into a publicly accessible directory, with the potential for reading sensitive file types. This exploitation enables authenticated users with Subscriber-level access and above to access and read server files with non-blacklisted extensions by having those files copied to a public URL.

A vulnerability exists in the S2OPC library's CycloneCrypto cryptographic wrapper, where the certificate revocation check only considers the first matching Certificate Revocation List (CRL) and ignores other valid CRLs from the same Certificate Authority (CA). This flaw could allow an OPC UA client to maintain a connection with a server while using a revoked certificate.

A path traversal vulnerability has been identified in the Apache Airflow Samba provider, specifically within the GCSToSambaOperator. This issue arises because the operator concatenates Google Cloud Storage (GCS) object names with the Samba destination path without properly validating the containment of the path. As a result, an object name containing '../' segments could escape the intended destination path, allowing an attacker to write files to arbitrary locations on the Samba target. This vulnerability affects versions of the Apache Airflow Samba provider prior to 4.12.6.

A vulnerability in the Linux kernel's io_uring implementation of the WAITID operation can lead to the unintentional exposure of stale data to userspace. This issue arises because the operation's result fields are not properly initialized before being copied to userspace, allowing old bytes from reused command storage to leak through. The vulnerability affects Linux kernel versions 6.7 and later.

A vulnerability allowing exposure of sensitive information to unauthorized users has been identified in Apache Answer versions prior to 2.0.0. The issue arises because the unlisted question feature failed to apply access restrictions on direct API endpoints. This oversight enabled authenticated users to discover and access unlisted questions, along with their answers, comments, and revision history.

A basic cross-site scripting vulnerability has been identified in Apache Answer versions through 2.0.0. This issue arises from improper neutralization of user-supplied content, which was included in notification emails without adequate escaping. As a result, authenticated users could inject arbitrary HTML into emails sent to other users.

A vulnerability allowing unrestricted upload of files with dangerous types has been identified in Apache Answer versions through 2.0.0. The issue arises because the server failed to properly validate user-supplied image URLs. This lack of validation allows arbitrary external content to be embedded as profile images, potentially exposing users to unintended external requests and tracking by third-party servers.

A vulnerability allowing unrestricted upload of files with dangerous types has been identified in Apache Answer versions prior to 2.0.0. This issue arises when a crafted TIFF image is uploaded, triggering excessive memory allocation during the decoding process. As a result, an authenticated user could cause the server process to crash.

A vulnerability exists in Dell iDRAC Tools versions prior to 11.4.1.0, related to improper link resolution before file access, also known as 'link following'. This vulnerability allows a low-privileged attacker with local access to potentially exploit the issue, leading to unauthorized information tampering.

An authorization bypass vulnerability has been identified in Apache Answer versions prior to 2.0.0. This issue allows authenticated users to access deleted, private, or unapproved content and its revision history through timeline-related APIs, which lacked proper authorization checks. As a result, private personal information could be exposed to unauthorized individuals.

A cross-site scripting (XSS) vulnerability has been identified in Apache Answer versions through 2.0.0. This issue arises from improper sanitization of AI-generated response content, which was rendered in the browser without adequate protection. As a result, malicious scripts could be executed when the content was viewed.

A privilege escalation vulnerability has been identified in the Events Calendar for GeoDirectory plugin for WordPress, affecting versions through 2.3.28. The issue arises in the ajax_ayi_action() handler, which inadequately sanitizes the attacker-controlled $_POST['type'] and $_POST['postid'] values before passing them to update_ayi_data(). This function then updates the user meta for the current user. By exploiting this flaw, an authenticated attacker with Subscriber-level access can manipulate their wp_capabilities user meta to gain Administrator privileges.

A session fixation vulnerability exists in Catalyst::Plugin::Authentication for Perl, specifically in versions prior to 0.10_027. The issue arises because the plugin does not automatically change the session ID after a user is authenticated. This lack of session ID rotation allows an attacker who has obtained a session ID cookie to impersonate the victim.

A buffer overflow vulnerability has been identified in the DBI module for Perl, specifically in versions prior to 1.648. The issue arises because error messages generated when the RaiseError, PrintError, or HandleError attributes are enabled are written to a buffer limited to 200 bytes, without proper length validation. This flaw can be exploited by attackers who can manipulate the error text within an application, potentially leading to memory corruption.

A remote, unauthenticated Bluetooth Low Energy (BLE) peer can exploit a vulnerability in the Zephyr Bluetooth host, specifically in versions through 4.4.0. The issue arises during the reassembly of L2CAP LE Continuation Channels (CoC) Segmentation Data Units (SDUs). When the application enables segmentation and the selected receive pool has a user data size smaller than 2 bytes, a 2-byte out-of-bounds write occurs. This vulnerability is triggered in the 'l2cap_chan_le_recv_seg' function within the L2CAP module of the Bluetooth host.

A vulnerability in QuNAP QuMagie has been identified, allowing remote attackers to bypass authorization through user-controlled keys, potentially leading to unauthorized privileges. This issue affects versions prior to QuMagie 2.9.1.

A logic bypass vulnerability has been identified in the file system of Huawei devices running HarmonyOS. This vulnerability, which affects several different versions, can be exploited to disrupt the normal availability of the system.

A use-after-free vulnerability has been identified in the package management module of Huawei's HarmonyOS. This vulnerability affects version 6.1.0 and could lead to integrity issues within the service.

A use-after-free vulnerability has been identified in the package management module of Huawei devices running HarmonyOS 6.1.0. This vulnerability could be exploited to affect the integrity of services.

A denial-of-service vulnerability has been identified in the browser kernel of Huawei's HarmonyOS. This vulnerability can be exploited to disrupt the normal functioning of the device, potentially leading to a loss of availability.

A race condition vulnerability has been identified in the IPC module of Huawei's HarmonyOS. This vulnerability affects versions 6.1.0, 6.0.0, and 5.1.0. Successful exploitation of this vulnerability may impact the operating system's availability.

A medium-severity out-of-bounds write vulnerability has been identified in the IPC module of Huawei's HarmonyOS. This vulnerability is present in HarmonyOS versions 6.1.0, 6.0.0, and 5.1.0. Successful exploitation of this vulnerability may impact the availability of the device.

A denial-of-service vulnerability has been identified in the log service of Huawei devices. This vulnerability affects several versions of HarmonyOS and EMUI, and its successful exploitation may disrupt the availability of the service.

A permission control vulnerability has been identified in the audio framework of Huawei devices running HarmonyOS 4.3.0. This vulnerability could lead to unauthorized access to service confidentiality.

A permission control vulnerability has been identified in the service notifications of Huawei devices running HarmonyOS 4.3.0, HarmonyOS 4.3.1, HarmonyOS 4.2.0, HarmonyOS 4.0.0, EMUI 15.0.0, EMUI 14.2.0, and EMUI 14.0.0. This vulnerability could be exploited to disrupt the availability of the service.

A permission control vulnerability has been identified in the call management feature of Huawei devices running HarmonyOS and EMUI. This vulnerability allows for improper handling of permissions, which could be exploited to disrupt the normal functioning of the call management system, potentially leading to a denial-of-service condition.

A path traversal vulnerability has been identified in the SMS application on Huawei devices running HarmonyOS versions 6.1.0, 6.0.0, and 5.1.0. This vulnerability could be exploited to manipulate file paths, potentially leading to unauthorized access to files or directories. Successful exploitation may disrupt the application's availability.

A buffer overflow vulnerability has been identified in multiple QNAP operating system versions. This vulnerability allows remote attackers with administrator access to exploit the issue, potentially leading to unauthorized memory modification or process crashes.

A stored cross-site scripting vulnerability has been identified in the Custom Block Builder WordPress plugin, affecting versions prior to 4.3.0. The issue arises because the plugin does not consistently validate the unfiltered_html capability for all pathways that write to its block template code fields. This oversight allows administrators on multisite installations, or single-site installs with DISALLOW_UNFILTERED_HTML defined, to inject arbitrary JavaScript. The injected script executes for any visitor on pages that include the affected block.

A remote, unauthenticated vulnerability in Zephyr's HTTP server WebSocket upgrade process can be exploited by sending a crafted 'Sec-WebSocket-Key' header. The HTTP/1 header parser copies this header into a fixed-size buffer using a bounded copy that lacks guaranteed NUL termination when the input length reaches the buffer size. This flaw allows the 'strlen()' function to read beyond the stack buffer, potentially leading to out-of-bounds memory access. The vulnerability causes a stack memory corruption, resulting in a crash (denial-of-service) and could allow for code execution. This issue arises when 'CONFIG_HTTP_SERVER_WEBSOCKET' is enabled, affecting Zephyr versions 3.7.0 through 4.3.0.

A vulnerability exists in the WPForms WordPress plugin in versions prior to 1.10.0.5, where the plugin fails to authenticate incoming PayPal webhook events before processing them. This flaw allows unauthenticated attackers to create fake webhook payloads and alter the payment status of any transaction.

A cross-site scripting (XSS) vulnerability has been identified in several QNAP operating system versions. This vulnerability allows remote attackers to bypass security mechanisms or access application data. Affected QNAP operating systems include QTS versions prior to 5.2.9.3492 build 20260507, QuTS hero versions prior to h5.2.9.3499 build 20260514, QuTS hero h5.3.4.3500 build 20260520 and earlier, and QuTS hero h6.0.0.3500 build 20260520 and earlier.

A command injection vulnerability has been identified in the degit package, specifically in versions prior to 2.8.6, as well as in versions 3.0.0 prior to 3.3.1. The vulnerability arises from inadequate sanitization of user input for git repository names, which is directly passed to the exec() method. This flaw allows attackers to execute arbitrary operating system commands as the user running the process. The issue is exploited by supplying a specially crafted repository name that includes shell metacharacters, which are then evaluated by the shell before being passed to git.