| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Quick Agent V3 and Quick Agent V2 contain an issue with improper limitation of a pathname to a restricted directory ('Path Traversal'). If exploited, an arbitrary file in the affected product may be obtained by a remote attacker who can log in to the product. |
| In the Linux kernel, the following vulnerability has been resolved:
idpf: cleanup remaining SKBs in PTP flows
When the driver requests Tx timestamp value, one of the first steps is
to clone SKB using skb_get. It increases the reference counter for that
SKB to prevent unexpected freeing by another component.
However, there may be a case where the index is requested, SKB is
assigned and never consumed by PTP flows - for example due to reset during
running PTP apps.
Add a check in release timestamping function to verify if the SKB
assigned to Tx timestamp latch was freed, and release remaining SKBs. |
| Cross-Site Request Forgery (CSRF) vulnerability in Code Amp Search & Filter search-filter allows Cross Site Request Forgery.This issue affects Search & Filter: from n/a through <= 1.2.17. |
| A vulnerability was found in Multilaser Sirius RE016 MLT1.0. It has been rated as problematic. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot. |
| In the Linux kernel, the following vulnerability has been resolved:
x86/mm: Fix SMP ordering in switch_mm_irqs_off()
Stephen noted that it is possible to not have an smp_mb() between
the loaded_mm store and the tlb_gen load in switch_mm(), meaning the
ordering against flush_tlb_mm_range() goes out the window, and it
becomes possible for switch_mm() to not observe a recent tlb_gen
update and fail to flush the TLBs.
[ dhansen: merge conflict fixed by Ingo ] |
| IP Watcher 3.0.0.30 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. |
| In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()
Currently, if find_and_map_user_pages() takes a DMA xfer request from the
user with a length field set to 0, or in a rare case, the host receives
QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size
is equal to the requested transaction size, the function will return 0
before allocating an sgt or setting the fields of the dma_xfer struct.
In that case, encode_addr_size_pairs() will try to access the sgt which
will lead to a general protection fault.
Return an EINVAL in case the user provides a zero-sized ALP, or the device
requests continuation after all of the bytes have been transferred. |
| WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior. |
| An XSS issue was discovered in the Link iframe formatter module before 1.x-1.1.1 for Backdrop CMS. It doesn't sufficiently sanitize input before displaying results to the screen. This vulnerability is mitigated by the fact that an attacker must have the ability to create content containing an iFrame field. |
| In the Linux kernel, the following vulnerability has been resolved:
ext4: detect invalid INLINE_DATA + EXTENTS flag combination
syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity
file on a corrupted ext4 filesystem mounted without a journal.
The issue is that the filesystem has an inode with both the INLINE_DATA
and EXTENTS flags set:
EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
comm syz.0.17: corrupted extent tree: lblk 0 < prev 66
Investigation revealed that the inode has both flags set:
DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1
This is an invalid combination since an inode should have either:
- INLINE_DATA: data stored directly in the inode
- EXTENTS: data stored in extent-mapped blocks
Having both flags causes ext4_has_inline_data() to return true, skipping
extent tree validation in __ext4_iget(). The unvalidated out-of-order
extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer
underflow when calculating hole sizes.
Fix this by detecting this invalid flag combination early in ext4_iget()
and rejecting the corrupted inode. |
| An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop CMS. It allows people to temporarily switch to another user account. The module provides a "Masquerade as admin" permission to restrict people (who can masquerade) from switching to an account with administrative privileges. This permission is not always honored and may allow non-administrative users to masquerade as an administrator. This vulnerability is mitigated by the fact that an attacker must have a role with the "Masquerade as user" permission. |
| A vulnerability was found in Marwal Infotech CMS 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /page.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| In the Linux kernel, the following vulnerability has been resolved:
drm/xe/guc: Check GuC running state before deregistering exec queue
In normal operation, a registered exec queue is disabled and
deregistered through the GuC, and freed only after the GuC confirms
completion. However, if the driver is forced to unbind while the exec
queue is still running, the user may call exec_destroy() after the GuC
has already been stopped and CT communication disabled.
In this case, the driver cannot receive a response from the GuC,
preventing proper cleanup of exec queue resources. Fix this by directly
releasing the resources when GuC is not running.
Here is the failure dmesg log:
"
[ 468.089581] ---[ end trace 0000000000000000 ]---
[ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535)
[ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535
[ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1
[ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1)
[ 468.092716] ------------[ cut here ]------------
[ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe]
"
v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled().
As CT may go down and come back during VF migration.
(cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea) |
| A vulnerability was found in Fengoffice Feng Office 3.5.1.5 and classified as critical. Affected by this issue is some unknown functionality of the file /index.php?c=account&a=set_timezone. The manipulation of the argument tz_offset leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| In the Linux kernel, the following vulnerability has been resolved:
media: nxp: imx8-isi: m2m: Fix streaming cleanup on release
If streamon/streamoff calls are imbalanced, such as when exiting an
application with Ctrl+C when streaming, the m2m usage_count will never
reach zero and the ISI channel won't be freed. Besides from that, if the
input line width is more than 2K, it will trigger a WARN_ON():
[ 59.222120] ------------[ cut here ]------------
[ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654
[ 59.238569] Modules linked in: ap1302
[ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT
[ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT)
[ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120
[ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120
[ 59.275047] sp : ffff8000848c3b40
[ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00
[ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001
[ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780
[ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000
[ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c
[ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
[ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30
[ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420
[ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000
[ 59.349590] Call trace:
[ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P)
[ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c
[ 59.361072] v4l_streamon+0x24/0x30
[ 59.364556] __video_do_ioctl+0x40c/0x4a0
[ 59.368560] video_usercopy+0x2bc/0x690
[ 59.372382] video_ioctl2+0x18/0x24
[ 59.375857] v4l2_ioctl+0x40/0x60
[ 59.379168] __arm64_sys_ioctl+0xac/0x104
[ 59.383172] invoke_syscall+0x48/0x104
[ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0
[ 59.391613] do_el0_svc+0x1c/0x28
[ 59.394915] el0_svc+0x34/0xf4
[ 59.397966] el0t_64_sync_handler+0xa0/0xe4
[ 59.402143] el0t_64_sync+0x198/0x19c
[ 59.405801] ---[ end trace 0000000000000000 ]---
Address this issue by moving the streaming preparation and cleanup to
the vb2 .prepare_streaming() and .unprepare_streaming() operations. This
also simplifies the driver by allowing direct usage of the
v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers. |
| A vulnerability was discovered in the Arctera InfoScale 7.0 through 8.0.2 where a .NET remoting endpoint can be exploited due to the insecure deserialization of potentially untrusted messages. The vulnerability is present in the Windows Plugin_Host service, which runs on all the servers where InfoScale is installed. The service is used only when applications are configured for Disaster Recovery (DR) using the DR wizard. Disabling the Plugin_Host service manually will eliminate the vulnerability. |
| Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments." |
| In the Linux kernel, the following vulnerability has been resolved:
xen/events: Return -EEXIST for bound VIRQs
Change find_virq() to return -EEXIST when a VIRQ is bound to a
different CPU than the one passed in. With that, remove the BUG_ON()
from bind_virq_to_irq() to propogate the error upwards.
Some VIRQs are per-cpu, but others are per-domain or global. Those must
be bound to CPU0 and can then migrate elsewhere. The lookup for
per-domain and global will probably fail when migrated off CPU 0,
especially when the current CPU is tracked. This now returns -EEXIST
instead of BUG_ON().
A second call to bind a per-domain or global VIRQ is not expected, but
make it non-fatal to avoid trying to look up the irq, since we don't
know which per_cpu(virq_to_irq) it will be in. |
| Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known |
