#ExploitObserverAlert
WLB-2024020066
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to WLB-2024020066. InstantCMS 2.16.1 Cross Site Scripting.
WLB-2024020066
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to WLB-2024020066. InstantCMS 2.16.1 Cross Site Scripting.
#ExploitObserverAlert
CVE-2024-22824
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-22824. An issue in Timo v.2.0.3 allows a remote attacker to execute arbitrary code via the filetype restrictions in the UploadController.java component.
CVE-2024-22824
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-22824. An issue in Timo v.2.0.3 allows a remote attacker to execute arbitrary code via the filetype restrictions in the UploadController.java component.
#ExploitObserverAlert
CVE-2023-52437
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52437. In the Linux kernel, the following vulnerability has been resolved: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74. That commit introduced the following race and can cause system hung. md_write_start: raid5d: // mddev->in_sync == 1 set "MD_SB_CHANGE_PENDING" // running before md_write_start wakeup it waiting "MD_SB_CHANGE_PENDING" cleared >>>>>>>>> hung wakeup mddev->thread ... waiting "MD_SB_CHANGE_PENDING" cleared >>>> hung, raid5d should clear this flag but get hung by same flag. The issue reverted commit fixing is fixed by last patch in a new way.
CVE-2023-52437
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52437. In the Linux kernel, the following vulnerability has been resolved: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74. That commit introduced the following race and can cause system hung. md_write_start: raid5d: // mddev->in_sync == 1 set "MD_SB_CHANGE_PENDING" // running before md_write_start wakeup it waiting "MD_SB_CHANGE_PENDING" cleared >>>>>>>>> hung wakeup mddev->thread ... waiting "MD_SB_CHANGE_PENDING" cleared >>>> hung, raid5d should clear this flag but get hung by same flag. The issue reverted commit fixing is fixed by last patch in a new way.
#ExploitObserverAlert
GHSA-vp66-gf7w-9m4x
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-vp66-gf7w-9m4x. Insufficient Session Expiration in github.com/greenpau/caddy-security
GHSA-vp66-gf7w-9m4x
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-vp66-gf7w-9m4x. Insufficient Session Expiration in github.com/greenpau/caddy-security
#ExploitObserverAlert
CVE-2023-42791
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-42791. A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 through 7.0.8 and 6.4.0 through 6.4.12 and 6.2.0 through 6.2.11 allows attacker to execute unauthorized code or commands via crafted HTTP requests.
CVE-2023-42791
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-42791. A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 through 7.0.8 and 6.4.0 through 6.4.12 and 6.2.0 through 6.2.11 allows attacker to execute unauthorized code or commands via crafted HTTP requests.
#ExploitObserverAlert
CVE-2024-21682
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-21682. This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions). Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and extracts detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network. This Injection vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to modify the actions taken by a system call which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Assets Discovery customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes (https://confluence.atlassian.com/assetapps/assets-discovery-3-2-1-cloud-6-2-1-data_center-1333987182.html). You can download the latest version of Assets Discovery from the Atlassian Marketplace (https://marketplace.atlassian.com/apps/1214668/assets-discovery?hosting=datacenter&tab=installation). This vulnerability was reported via our Penetration Testing program.
CVE-2024-21682
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-21682. This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions). Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and extracts detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network. This Injection vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to modify the actions taken by a system call which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Assets Discovery customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes (https://confluence.atlassian.com/assetapps/assets-discovery-3-2-1-cloud-6-2-1-data_center-1333987182.html). You can download the latest version of Assets Discovery from the Atlassian Marketplace (https://marketplace.atlassian.com/apps/1214668/assets-discovery?hosting=datacenter&tab=installation). This vulnerability was reported via our Penetration Testing program.
#ExploitObserverAlert
CVE-2024-22245
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-22245. Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
CVE-2024-22245
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-22245. Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
#ExploitObserverAlert
GHSA-x989-52fc-4vr4
DESCRIPTION: Exploit Observer has 4 entries in 3 file formats related to GHSA-x989-52fc-4vr4. Unencrypted traffic between pods when using Wireguard and an external kvstore
GHSA-x989-52fc-4vr4
DESCRIPTION: Exploit Observer has 4 entries in 3 file formats related to GHSA-x989-52fc-4vr4. Unencrypted traffic between pods when using Wireguard and an external kvstore
#ExploitObserverAlert
CVE-2024-1155
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-1155. Incorrect permissions in the installation directories for shared SystemLink Elixir based services may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-1155
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-1155. Incorrect permissions in the installation directories for shared SystemLink Elixir based services may allow an authenticated user to potentially enable escalation of privilege via local access.
#ExploitObserverAlert
CVE-2023-52436
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52436. In the Linux kernel, the following vulnerability has been resolved: f2fs: explicitly null-terminate the xattr list When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed.
CVE-2023-52436
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52436. In the Linux kernel, the following vulnerability has been resolved: f2fs: explicitly null-terminate the xattr list When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed.
#ExploitObserverAlert
WLB-2024020064
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to WLB-2024020064. Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting.
WLB-2024020064
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to WLB-2024020064. Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting.
#ExploitObserverAlert
GHSA-7f2v-5877-rx3x
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-7f2v-5877-rx3x. Code injection in REDAXO
GHSA-7f2v-5877-rx3x
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-7f2v-5877-rx3x. Code injection in REDAXO
#ExploitObserverAlert
GHSA-r969-783f-6jqr
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-r969-783f-6jqr. Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security
GHSA-r969-783f-6jqr
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-r969-783f-6jqr. Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security
#ExploitObserverAlert
GHSA-9w99-78rj-hmxq
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-9w99-78rj-hmxq. Cross-site scripting (XSS) in the dynamic file uploads
GHSA-9w99-78rj-hmxq
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-9w99-78rj-hmxq. Cross-site scripting (XSS) in the dynamic file uploads
#ExploitObserverAlert
CVE-2023-52439
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52439. In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock.
CVE-2023-52439
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52439. In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock.
#ExploitObserverAlert
GHSA-8hp3-rmr7-xh88
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-8hp3-rmr7-xh88. Open Redirect in github.com/greenpau/caddy-security
GHSA-8hp3-rmr7-xh88
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-8hp3-rmr7-xh88. Open Redirect in github.com/greenpau/caddy-security
#ExploitObserverAlert
CVE-2024-22369
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to CVE-2024-22369. Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
CVE-2024-22369
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to CVE-2024-22369. Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
#ExploitObserverAlert
CVE-2024-25631
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25631. Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.
CVE-2024-25631
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25631. Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.
#ExploitObserverAlert
CVE-2023-52438
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52438. In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker's callback The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.
CVE-2023-52438
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52438. In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker's callback The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.
#ExploitObserverAlert
CVE-2023-7245
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-7245. The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
CVE-2023-7245
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-7245. The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
#ExploitObserverAlert
GHSA-w3q8-m492-4pwp
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-w3q8-m492-4pwp. Possibility to circumvent the invitation token expiry period
GHSA-w3q8-m492-4pwp
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-w3q8-m492-4pwp. Possibility to circumvent the invitation token expiry period