CVE Catalog

A mass assignment vulnerability has been identified in Flowise, a user interface for building customized large language model flows. This issue, present in versions through 3.1.1, allows for cross-workspace evaluator takeover by improperly handling workspace-related data during evaluator creation and updates. The vulnerability arises because the Evaluator controller does not validate which fields can be overwritten with client-controlled data, enabling authenticated users to manipulate evaluator ownership and access across workspaces.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, specifically within the evaluations management feature. This issue allows an authenticated user to manipulate evaluation data across different workspaces, potentially leading to unauthorized access and modification of evaluation records. The vulnerability arises because the evaluation controller does not properly validate which fields can be updated, allowing client-controlled data to overwrite critical workspace-specific information. As a result, evaluations can be transferred between workspaces, disrupting data integrity and privacy.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, allowing cross-workspace row takeover in the DatasetRow entity. The issue arises because the DatasetRow controller mass-assigns client-controlled data, including workspace IDs, without proper validation. This flaw enables authenticated users to manipulate dataset rows across different workspaces, violating data isolation and potentially exposing sensitive information.

A mass assignment vulnerability has been identified in Flowise, a user interface for building customized large language model flows. This issue, present in versions prior to 3.1.2, allows for cross-workspace dataset takeover by exploiting the dataset creation and update processes. The vulnerability arises because the Dataset controller does not properly validate which fields can be overwritten, enabling authenticated users to manipulate dataset ownership and access through the workspaceId field.

A vulnerability in Flowise prior to version 3.1.2 allows for cross-workspace template takeover through mass assignment in the CustomTemplate creation and update processes. The issue arises because the application does not properly validate which fields can be overwritten, allowing authenticated users to manipulate workspace-specific data and disrupt workspace isolation. This flaw can be exploited by any user with permission to edit custom templates, potentially leading to unauthorized access and modification rights in another workspace.

A mass assignment vulnerability has been identified in Flowise, a user interface for building customized large language model flows. This issue, present in versions through 3.1.1, allows for cross-workspace assistant takeover by improperly handling workspace IDs during the creation and updating of assistant entities. The vulnerability arises because the application does not validate which fields can be overwritten, enabling authenticated users to manipulate assistant ownership and access across workspaces.

A vulnerability exists in Flowise versions prior to 3.1.2, where all CRUD endpoints for the OpenAI Assistants Vector Store lack authentication middleware. The route '/api/v1/openai-assistants-vector-store' is not included in WHITELIST_URLS and, although it requires API key authentication, it does not enforce any permission checks. This oversight allows any authenticated user to create, modify, delete vector stores, and upload or exfiltrate files, regardless of their assigned permissions.

A vulnerability in Flowise prior to version 3.1.2 allows authenticated users to access unredacted encrypted credential data, such as API keys and tokens, when using the 'credentialName' filter parameter. This data leak occurs because the 'encryptedData' field is not properly omitted from the response when the filter is applied, despite the code correctly excluding it when no filter is used. The issue has been patched in version 3.1.2.

A remote code execution vulnerability has been identified in Flowise, a user interface for building large language model flows. This issue affects versions through 3.1.1. The vulnerability arises because the POST /api/v1/node-custom-function endpoint lacks proper authorization, allowing any authenticated user or API key to send arbitrary JavaScript to the Custom JS Function node. In typical deployments where E2B_APIKEY is not set, Flowise runs this code in a NodeVM sandbox, which can be escaped. This escape route enables access to the host process object, facilitating the execution of system commands through the child_process module. Consequently, this flaw results in authenticated remote code execution on the server hosting Flowise.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, specifically within the assistant update endpoint. This vulnerability allows authenticated users to modify server-controlled properties, such as workspaceId, createdDate, and updatedDate, when updating an assistant resource. The issue arises from a lack of proper server-side validation and authorization checks, enabling attackers to manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This flaw disrupts tenant isolation in multi-workspace environments.

A vulnerability in Flowise's checkBasicAuth endpoint prior to version 3.1.2 allows for plaintext credential validation without rate limiting, using direct comparison. This lack of rate limiting enables brute-force attacks on the authentication system. The endpoint returns distinct messages for successful and failed authentication attempts, facilitating credential enumeration. The vulnerability has been patched in version 3.1.2.

A vulnerability in the Bluetooth hci_uart component of the Linux kernel has been addressed, which involved a Use-After-Free (UAF) issue and race conditions during the initialization and closing processes. The vulnerability arose because workqueues were not properly managed, leading to the potential for freed structures to be accessed incorrectly. This issue was particularly problematic if a hangup occurred before the setup was complete, allowing scheduled work to disrupt the lifecycle management of the component.

A vulnerability in the Linux kernel's I/O workqueue management can lead to a use-after-free condition. The issue arises in the 'io-wq' component, where the 'io_wq_remove_pending()' function fails to properly verify if a work item predecessor is hashed before updating the workqueue's hash tail. This oversight allows a pointer to a non-hashed I/O control block to be incorrectly stored, creating a dangling pointer once the work item is completed and freed. The flaw persists for the duration of the task, potentially leading to memory corruption when the freed memory is overwritten.

A buffer underwrite vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67. This vulnerability arises in the core server when handling regular expressions in the configuration, allowing for potential memory manipulation.

An infinite loop vulnerability has been identified in the mod_proxy_ftp module of Apache HTTP Server. This issue occurs when the server is connected to an attacker-controlled backend FTP server, causing the server to enter a loop with no reachable exit condition. This vulnerability affects Apache HTTP Server versions 2.4.0 through 2.4.67.

A buffer over-read vulnerability has been identified in Apache HTTP Server in versions 2.4.0 prior to 2.4.67. This vulnerability occurs in the mod_ssl component when the server makes outbound OCSP requests to an attacker-controlled OCSP server. The flaw can be exploited to read memory beyond the intended bounds, potentially leading to information disclosure or a crash of the server process.

A vulnerability in Apache HTTP Server in versions through 2.4.67 allows local authors of .htaccess files to read files with the privileges of the httpd user. This issue arises from improper privilege management, enabling unauthorized access to certain files.

An out-of-bounds read vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67. This vulnerability occurs in the 'merge_response_headers' function, where improper handling of multiple response languages can lead to memory access violations. The issue is present when both mod_headers and mod_mime are enabled, and can cause the server to crash.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, specifically within the chatflow update endpoint. This vulnerability allows authenticated users to manipulate server-controlled properties, such as deployment status, visibility, and workspace assignment, without proper validation or authorization. As a result, users can unauthorizedly modify chatflow attributes and reassign them to different workspaces, disrupting workflow management and tenant isolation.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2. The issue resides in the tool update endpoint, where authenticated users can modify server-controlled properties such as workspaceId, createdDate, and updatedDate. The vulnerability arises from inadequate server-side validation and authorization checks, enabling attackers to manipulate the workspaceId and reassign tools to arbitrary workspaces, thereby disrupting tenant isolation in multi-workspace environments.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2. The issue resides in the variable update endpoint, which allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate. The vulnerability arises from inadequate server-side validation and authorization checks, enabling attackers to manipulate the workspaceId and reassign variables to arbitrary workspaces. This could disrupt tenant isolation in multi-workspace environments.

A heap-based buffer overflow vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67, specifically in the mod_xml2enc module. The vulnerability arises in the xml2StartParse function when handling untrusted content, potentially leading to memory corruption.

A path handling vulnerability has been identified in the mod_dav_fs module of Apache HTTP Server versions through 2.4.67. This vulnerability allows WebDAV content authors to directly manipulate trusted DAV property databases, which could lead to crashes in child processes. The issue arises from improper handling of paths, enabling potential disruption of server processes.

A stack-based buffer overflow vulnerability has been identified in the Tenda FH451 router, specifically in version 1.0.0.9. The issue arises in the 'fromDhcpListClient' function, which is part of the device's CGI handler. This vulnerability allows attackers to cause a denial-of-service condition by sending a crafted HTTP request that exploits the 'list1' parameter. The overflow occurs because the parameter is not properly validated before being copied into a buffer, leading to a process crash or instability on the device.

A heap-based buffer overflow vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67. This vulnerability arises when the server is configured with malicious backend servers and uses the ProxyPassReverseCookie directive. The flaw allows an attacker to exploit the buffer overflow, potentially leading to arbitrary code execution or causing the server to crash.

A buffer overflow vulnerability has been identified in the mod_proxy_html module of Apache HTTP Server. This issue affects versions 2.4.67 and earlier, allowing an untrusted backend to execute an attack. The vulnerability can be exploited by sending crafted responses that manipulate memory, potentially leading to arbitrary code execution or causing the server to crash.

A use-after-free vulnerability has been identified in the Imagination Technologies GPU Driver Development Kit (DDK) releases starting from 24.2 RTM2 up to and including 26.1 RTM1. This vulnerability allows software running as a non-privileged user to make improper GPU system calls, leading to mismanagement of memory mappings for sparse allocations. The issue arises because mathematical operations are incorrectly scaled across buffers of varying sizes, causing the product to reference incorrect memory.

A cross-site scripting vulnerability has been identified in the mod_proxy_ftp module of Apache HTTP Server. This issue is present in versions through 2.4.67 and occurs during the generation of HTML directory listings when FTP directory contents are accessed via forward or reverse proxy configurations. The vulnerability allows for the injection of malicious scripts that could be executed in the context of the user's browser.

A use-after-free vulnerability has been identified in Apache HTTP Server versions 2.4.0 prior to 2.4.67, specifically within the mod_ldap module when used in per-directory configurations. This vulnerability can lead to memory corruption and potentially allow for arbitrary code execution.

A vulnerability exists in the Imagination Technologies GPU driver development kit (DDK) that allows software running as a non-privileged user to make improper GPU system calls. These calls can corrupt kernel heap memory by mismanaging resource reference counting, creating a write use-after-free scenario. Under certain conditions, this exploitation can lead to unauthorized writes in the kernel memory, potentially altering the behavior of the operating system or other drivers.

A SQL injection vulnerability has been identified in the Designcomputer Mysql-Mcp-Server application, specifically in versions prior to 0.2.2. The issue arises in the Mysql URI Handler component, within the read_resource function of the server.py file. The vulnerability allows remote exploitation by manipulating the uri_str argument, leading to unauthorized SQL code execution. This injection occurs because the table name parameter is not properly sanitized before being interpolated into SQL queries, enabling attackers to inject malicious payloads that are executed with the full privileges of the MySQL user, which is typically the root user.

A stack-based buffer overflow vulnerability has been identified in the Tenda AC18 router, specifically in the web management interface of version 15.03.05.05. The vulnerability arises in the function sub_45304 within the '/goform/getRebootStatus' endpoint, where the 'callback' parameter is processed. The lack of input length validation allows an attacker to send an overly long string, leading to a buffer overflow that can overwrite the return address, potentially causing a crash of the web service or allowing remote code execution.

A stack-based buffer overflow vulnerability has been identified in the Tenda W20E router, specifically in version 15.11.0.6. The issue resides in the web management interface, within the 'modifyWifiFilterRules' function of the '/goform/modifyWifiFilterRules' endpoint. The vulnerability is triggered by sending an overly long string in the 'wifiFilterListRemark' parameter. This exploitation can be initiated remotely, and while it may cause a denial-of-service by crashing the web service, it could also lead to remote code execution.

A stack-based buffer overflow vulnerability has been identified in the Tenda W20E enterprise router, specifically in version 15.11.0.6. The issue arises in the web management interface within the 'formPortalAuth' function of the '/goform/PortalAuth' endpoint. The vulnerability can be exploited remotely by sending an overly long string in the 'gotoUrl' parameter, leading to a buffer overflow that overwrites the return address and potentially allows for remote code execution with root privileges.

A stack-based buffer overflow vulnerability has been identified in the Tenda W20E router, specifically in version 15.11.0.6. The issue arises in the 'formSetPortMirror' function within the file '/goform/setPortMirror'. The vulnerability allows remote attackers to manipulate the 'portMirrorMirroredPorts' argument, leading to a buffer overflow of a 256-byte stack buffer. This overflow can overwrite the saved Link Register, potentially causing a crash or allowing remote code execution.

A vulnerability in the Linux kernel's VKMS (virtual kernel mode setting) driver has been addressed. The issue involved the vblank timer implementation, which was replaced with a standard DRM (Direct Rendering Manager) version. The previous VKMS timer used a custom timeout mechanism that could lead to inaccuracies in vblank handling. The vulnerability affected the VKMS driver in the Linux kernel stable tree.

A vulnerability exists in OfflineIMAP versions prior to 8.0.3, where the application fails to properly enforce STARTTLS when the server does not explicitly advertise its availability. This oversight can lead to STRIPTLS attacks, allowing a man-in-the-middle to intercept the connection and capture account credentials in cleartext. The issue arises because OfflineIMAP relies on the server's capability list instead of enforcing user-configured security settings.

A denial-of-service vulnerability has been identified in Routinator versions prior to and including 0.15.1. When the application processes a file received via the Repository Remediation and Distribution Protocol (RRDP) that contains a specially crafted Document Type Definition (DTD), Routinator crashes.

A denial-of-service vulnerability has been identified in Routinator versions prior to and including 0.15.1. When a specifically crafted non-UTF-8 string is sent as the select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This issue only affects users who permit API access from untrusted networks.

A path traversal vulnerability has been identified in Routinator versions prior to and including 0.15.1. The issue arises because Routinator fails to properly validate the module component of rsync URIs. These URIs are used to generate file system paths for the Routinator cache. As a result, an attacker could craft a module name containing '..' to traverse directories, potentially gaining access to the entire Routinator rsync cache.

A denial-of-service vulnerability has been identified in NLnet Labs Routinator versions prior to and including 0.15.1. The issue arises because Routinator exits upon encountering any error while handling incoming HTTP or RTR connections. This includes recoverable errors, such as depleting available file descriptors. An attacker can exploit this vulnerability by opening a large number of connections to the HTTP or RTR server, causing Routinator to crash. This issue only affects users who expose their HTTP or RTR server to untrusted networks.

A vulnerability in the ninenines gun HTTP client, specifically in the gun_http module, allows a malicious HTTP server to disrupt the client's protocol handling. This is achieved by sending an unsolicited 101 Switching Protocols response, which the client accepts without proper validation. As a result, the connection is switched to raw protocol mode, abandoning HTTP framing. In this raw mode, the client can be overwhelmed with arbitrary data, leading to excessive memory consumption and crashing the Erlang VM. This issue affects gun versions 2.0.0 prior to 2.4.0.

A vulnerability in the gun_http module of ninenines gun, specifically in versions 1.0.0 prior to 2.4.0, allows a malicious server to exhaust client memory through unbounded HTTP/1.1 response buffering. The vulnerability arises because the module's response handling does not impose a limit on the size of the data buffered from incoming TCP streams. This flaw can be exploited by sending a partial response that never completes, causing the gun connection process to continuously append data to its buffer. As a result, a single malicious connection can lead to unbounded heap growth and a node-wide out-of-memory crash.

An origin validation error vulnerability has been identified in the ninenines gun HTTP/2 module, specifically in versions 2.0.0 prior to 2.4.0. This vulnerability allows cross-origin cookie injection through unvalidated HTTP/2 PUSH_PROMISE authority. The issue arises because the :authority pseudo-header from incoming PUSH_PROMISE frames is stored without validation, enabling malicious HTTP/2 servers to inject cookies into the client's shared cookie store. This could lead to session fixation attacks and potentially allow attackers to take over user accounts.

A stack-based buffer overflow vulnerability has been identified in the Tenda AC1206 router, specifically in version 15.03.06.23. The issue arises in the 'fromGstDhcpSetSer' CGI handler, where user-controlled 'username' and 'password' parameters are processed without proper length validation or sanitization. This vulnerability can be exploited by sending a crafted HTTP request to the 'fromGstDhcpSetSer' endpoint, causing a denial-of-service condition by crashing or rebooting the device. Additionally, this vulnerability could potentially be exploited for remote code execution.

A stored cross-site scripting vulnerability has been identified in QloApps versions through 1.7.0. This issue resides in the admin file manager, where authenticated administrators can upload malicious SVG files. These crafted files can include JavaScript event handlers, such as 'onload', which, when viewed by other users, execute arbitrary scripts in their browsers. This vulnerability exploits the fact that SVG files are accepted and later served in a way that allows script execution.

A vulnerability allowing improper authorization has been identified in the Bank Management System application developed with Spring Boot, specifically in versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. The issue resides in the Transaction Controller, where critical transaction endpoints `/transaction/deposit` and `/transaction/withdraw` are exposed to unauthenticated users. This lack of authentication and authorization checks enables unauthorized financial operations, such as deposits and withdrawals, based solely on knowledge of a valid card number and, for withdrawals, the corresponding CVV.

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Inventory System version 1.0. The issue arises from an unknown functionality in the file header.php, allowing remote attackers to inject malicious scripts. The vulnerability is believed to be exploitable through multiple parameters.

A vulnerability allowing improper authorization has been identified in SourceCodester Inventory System version 1.0. The issue arises in the Account Creation Handler component, specifically within the file '/Product_Inventory/api/users_handler.php'. The vulnerability is triggered by manipulating the 'ROLE' argument, which could potentially be exploited remotely. This flaw could be used to bypass authorization controls, leading to unauthorized actions or access within the application.

A stored cross-site scripting vulnerability has been identified in SourceCodester Inventory System version 1.0. The issue resides in the User Management page (`users.php`), where the application fails to properly sanitize user input from the `fullname` and `username` fields before storing it in the database. This unsanitized data is later rendered in the admin panel, allowing for the execution of malicious scripts. The vulnerability can be exploited remotely and without authentication.