Ubuntu Security Notice USN-6630-1

Ubuntu Security Notice 6630-1 - It was discovered that Glance_store incorrectly handled logging when the DEBUG log level is enabled. A local attacker could use this issue to obtain access_key values.

Red Hat Security Advisory 2024-0772-03

Red Hat Security Advisory 2024-0772-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

Red Hat Security Advisory 2024-0773-03

Red Hat Security Advisory 2024-0773-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

Red Hat Security Advisory 2024-0768-03

Red Hat Security Advisory 2024-0768-03 - An update for libmaxminddb is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-0769-03

Red Hat Security Advisory 2024-0769-03 - An update for tcpdump is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2024-0771-03

Red Hat Security Advisory 2024-0771-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

Gentoo Linux Security Advisory 202402-11

Gentoo Linux Security Advisory 202402-11 - Multiple denial of service vulnerabilities have been found in libxml2. Versions greater than or equal to 2.12.5 are affected.

[webapps] Wordpress Seotheme - Remote Code Execution Unauthenticated

Wordpress Seotheme - Remote Code Execution Unauthenticated

[webapps] Wordpress Augmented-Reality - Remote Code Execution Unauthenticated

Wordpress Augmented-Reality - Remote Code Execution Unauthenticated

[dos] Elasticsearch - StackOverflow DoS

Elasticsearch - StackOverflow DoS

[webapps] Online Nurse Hiring System 1.0 - Time-Based SQL Injection

Online Nurse Hiring System 1.0 - Time-Based SQL Injection

[remote] Zyxel zysh - Format string

Zyxel zysh - Format string

[webapps] Rail Pass Management System 1.0 - Time-Based SQL Injection

Rail Pass Management System 1.0 - Time-Based SQL Injection

[webapps] Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated)

Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated)

[webapps] Wordpress 'simple urls' Plugin < 115 - XSS

Wordpress 'simple urls' Plugin

[webapps] Curfew e-Pass Management System 1.0 - FromDate SQL Injection

Curfew e-Pass Management System 1.0 - FromDate SQL Injection

[webapps] GYM MS - GYM Management System - Cross Site Scripting (Stored)

GYM MS - GYM Management System - Cross Site Scripting (Stored)

[remote] Milesight Routers UR5X, UR32L, UR32, UR35, UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption

Milesight Routers UR5X, UR32L, UR32, UR35, UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption

[webapps] TASKHUB-2.8.8 - XSS-Reflected

TASKHUB-2.8.8 - XSS-Reflected

[webapps] WhatsUp Gold 2022 (22.1.0 Build 39) - XSS

WhatsUp Gold 2022 (22.1.0 Build 39) - XSS

[webapps] MISP 2.4.171 - Stored XSS

MISP 2.4.171 - Stored XSS

[webapps] Clinic's Patient Management System 1.0 - Unauthenticated RCE

Clinic's Patient Management System 1.0 - Unauthenticated RCE

APPLE-SA-02-02-2024-1 visionOS 1.0.2

Posted by Apple Product Security via Fulldisclosure on Feb 04

APPLE-SA-02-02-2024-1 visionOS 1.0.2

visionOS 1.0.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT214070.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to
arbitrary code...

CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()

Posted by Qualys Security Advisory via Fulldisclosure on Feb 04

Qualys Security Advisory

CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()

========================================================================
Contents
========================================================================

Summary
Analysis
Proof of concept
Exploitation
Acknowledgments
Timeline

========================================================================
Summary...

Out-of-bounds read & write in the glibc's qsort()

Posted by Qualys Security Advisory via Fulldisclosure on Feb 04

Qualys Security Advisory

For the algorithm lovers: Nontransitive comparison functions lead to
out-of-bounds read & write in glibc's qsort()

========================================================================
Contents
========================================================================

Summary
Background
Experiments
Analysis
Patch
Discussion
Acknowledgments
Timeline

CUT MY LIST IN TWO PIECES
THAT'S HOW YOU START...

TROJAN.WIN32 BANKSHOT / Remote Stack Buffer Overflow (SEH)

Posted by malvuln on Feb 04

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/f2fd6a7b400782bb43499e722fb62cf4.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32 BankShot
Vulnerability: Remote Stack Buffer Overflow (SEH)
Description: The malware listens on TCP port 1978 and creates a local
Windows service running with SYSTEM integrity. Third-party adversaries who
can reach the...

Research about usage & possible issues of the NVD

Posted by Andreas Hammer on Feb 04

Hello there!

The University of Erlangen-Nuremberg (Germany) is conducting a research
study to investigate the usage and possible issues of the NVD (National
Vulnerability Database). If you are using the NVD regularly, we would
greatly appreciate your participation which contributes to the
improvement of vulnerability management. You can read more about the
survey here:

https://www.cs1.tf.fau.de/2024/01/29/survey-on-usage-of-nvd/

The...

[KIS-2024-01] XenForo <= 2.2.13 (ArchiveImport.php) Zip Slip Vulnerability

Posted by Egidio Romano on Feb 04

------------------------------------------------------------
XenForo <= 2.2.13 (ArchiveImport.php) Zip Slip Vulnerability
------------------------------------------------------------

[-] Software Link:

https://xenforo.com

[-] Affected Versions:

Version 2.2.13 and prior versions.

[-] Vulnerability Description:

The vulnerability is located in the
/src/XF/Service/Style/ArchiveImport.php script. Specifically, into the...

NULL pointer dereference in the function handle_viminfo_register() of vim

Posted by Christian Brabandt on Feb 04

Meng Ruijie wrote:

Meng,

This particular problem was fixed in Vim v9.0.1740
https://github.com/vim/vim/commit/0a0764684591c7c6a5d722b628f11dc96208e853

I have no idea, why this issue is worth a CVE, because if an attacker
can modify your .viminfo file to make Vim crash, he already has the
possibilities to do much more harm directly. So I don't think this is
particular useful CVE. I'd also like to dispute this.

Thanks,
Christian

[webapps] Electrolink FM/DAB/TV Transmitter - Pre-Auth MPFS Image Remote Code Execution

Electrolink FM/DAB/TV Transmitter - Pre-Auth MPFS Image Remote Code Execution

[webapps] Electrolink FM/DAB/TV Transmitter (Login Cookie) - Authentication Bypass

Electrolink FM/DAB/TV Transmitter (Login Cookie) - Authentication Bypass

[webapps] TP-Link TL-WR740N - UnAuthenticated Directory Transversal

TP-Link TL-WR740N - UnAuthenticated Directory Transversal

[webapps] TP-LINK TL-WR740N - Multiple HTML Injection

TP-LINK TL-WR740N - Multiple HTML Injection

[webapps] mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page

mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page

[remote] PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow

PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow

[webapps] Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure

[dos] Electrolink FM/DAB/TV Transmitter - Unauthenticated Remote DoS

Electrolink FM/DAB/TV Transmitter - Unauthenticated Remote DoS

[webapps] Juniper-SRX-Firewalls&EX-switches - (PreAuth-RCE) (PoC)

Juniper-SRX-Firewalls&EX-switches - (PreAuth-RCE) (PoC)

[webapps] Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) - Credentials Disclosure

Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) - Credentials Disclosure

[remote] WebCatalog 48.4 - Arbitrary Protocol Execution

WebCatalog 48.4 - Arbitrary Protocol Execution

[webapps] Electrolink FM/DAB/TV Transmitter - Remote Authentication Removal

Electrolink FM/DAB/TV Transmitter - Remote Authentication Removal

[webapps] GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities

GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities

[remote] RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC

RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC

[remote] Proxmox VE - TOTP Brute Force

Proxmox VE - TOTP Brute Force

[webapps] 101 News 1.0 - Multiple-SQLi

101 News 1.0 - Multiple-SQLi

[webapps] Academy LMS 6.2 - SQL Injection

Academy LMS 6.2 - SQL Injection

[webapps] Academy LMS 6.2 - Reflected XSS

Academy LMS 6.2 - Reflected XSS

[webapps] Grocy <=4.0.2 - CSRF

Grocy

[remote] Equipment Rental Script-1.0 - SQLi

Equipment Rental Script-1.0 - SQLi

[remote] Ricoh Printer - Directory and File Exposure

Ricoh Printer - Directory and File Exposure

[remote] Blood Bank & Donor Management System using v2.2 - Stored XSS

Blood Bank & Donor Management System using v2.2 - Stored XSS

[webapps] Fundraising Script 1.0 - SQLi

Fundraising Script 1.0 - SQLi

[webapps] PHP Shopping Cart 4.2 - Multiple-SQLi

PHP Shopping Cart 4.2 - Multiple-SQLi

[local] Typora v1.7.4 - OS Command Injection

Typora v1.7.4 - OS Command Injection

[local] 7 Sticky Notes v1.9 - OS Command Injection

7 Sticky Notes v1.9 - OS Command Injection

[webapps] Bank Locker Management System - SQL Injection

Bank Locker Management System - SQL Injection

Re: Buffer Overflow in graphviz via via a crafted config6a file

Posted by Matthew Fernandez on Jan 27

More specifically, this issue is an out-of-bounds read.

AFAICT the issue was actually introduced in Graphviz 2.36. It was fixed
in commit a95f977f5d809915ec4b14836d2b5b7f5e74881e (essentially
reverting cf95714837f06f684929b54659523c2c9b1fc19f that introduced the
issue), but there has been no release yet since then. The next release
will be 10.0.0. So affected versions would be [2.36, 10.0.0).

To exploit this issue, you need to modify a...

Re: null pointer deference in nano via read_the_list()

Posted by Mark Esler on Jan 27

Hi Meng,

In your recent mass posts to FD, are you reporting vulnerabilities or
bug reports which have words like "segfault" in the title? What benefit
do you see this having? Have you spoken to each upstream project before
requesting a CVE be assigned?

Thank you,
Mark Esler

CVEs based on commit messages

Posted by Mark Esler on Jan 27

Dear Meng Rujie,

In regards to your recent FD posts, are you requesting CVEs based on the
presence of strings in commit messages such as "null pointer dereference"?

Are you reaching out to each upstream project before assigning a CVE? Do
you believe that every null pointer bug is a vulnerability? What impact
are you hoping to achieve?

Please reconsider how you are requesting CVEs.

CVE assignment based on commit message allows...

Re: NULL pointer dereference in freedesktop Mesa via check_xshm()

Posted by Dan Cross on Jan 27

I find it very difficult to believe that every NULL pointer error in
existence is a security vulnerability.

- Dan C.