๐จ CVE-2026-0588
A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
๐ฅ1๐1
๐จ CVE-2024-20533
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users.
This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.
๐@cveNotify
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users.
This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.
๐@cveNotify
Cisco
Cisco Security Advisory: Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scriptingโฆ
Multiple vulnerabilities in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scriptingโฆ
๐จ CVE-2024-20534
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users.
This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.
๐@cveNotify
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users.
This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.
๐@cveNotify
Cisco
Cisco Security Advisory: Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scriptingโฆ
Multiple vulnerabilities in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scriptingโฆ
๐จ CVE-2024-5660
Use of Hardware Page Aggregation (HPA) and Stage-1 and/or Stage-2 translation on Cortex-A77, Cortex-A78, Cortex-A78C, Cortex-A78AE, Cortex-A710, Cortex-X1, Cortex-X1C, Cortex-X2, Cortex-X3, Cortex-X4, Cortex-X925, Neoverse V1, Neoverse V2, Neoverse V3, Neoverse V3AE, Neoverse N2 may permit bypass of Stage-2 translation and/or GPT protection.
๐@cveNotify
Use of Hardware Page Aggregation (HPA) and Stage-1 and/or Stage-2 translation on Cortex-A77, Cortex-A78, Cortex-A78C, Cortex-A78AE, Cortex-A710, Cortex-X1, Cortex-X1C, Cortex-X2, Cortex-X3, Cortex-X4, Cortex-X925, Neoverse V1, Neoverse V2, Neoverse V3, Neoverse V3AE, Neoverse N2 may permit bypass of Stage-2 translation and/or GPT protection.
๐@cveNotify
๐จ CVE-2025-20335
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to write arbitrary files on an affected device.
This vulnerability is due to a lack of proper authentication controls. An attacker could exploit this vulnerability by sending a crafted request to an affected device. A successful exploit could allow the attacker to perform arbitrary file writes to specific directories in the underlying operating system.
Note: To exploit this vulnerability, Web Access must be enabled on the phone. Web Access is disabled by default.
๐@cveNotify
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to write arbitrary files on an affected device.
This vulnerability is due to a lack of proper authentication controls. An attacker could exploit this vulnerability by sending a crafted request to an affected device. A successful exploit could allow the attacker to perform arbitrary file writes to specific directories in the underlying operating system.
Note: To exploit this vulnerability, Web Access must be enabled on the phone. Web Access is disabled by default.
๐@cveNotify
Cisco
Cisco Security Advisory: Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Multiple vulnerabilities in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 with Cisco Session Initiation Protocol (SIP) Software could allow an unauthenticated, remote attacker toโฆ
๐จ CVE-2025-20336
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability exists because the product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. An attacker could exploit this vulnerability by sending a crafted packet to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information from the device.
Note: To exploit this vulnerability, Web Access must be enabled on the phone. Web Access is disabled by default.
๐@cveNotify
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability exists because the product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. An attacker could exploit this vulnerability by sending a crafted packet to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information from the device.
Note: To exploit this vulnerability, Web Access must be enabled on the phone. Web Access is disabled by default.
๐@cveNotify
Cisco
Cisco Security Advisory: Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Multiple vulnerabilities in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 with Cisco Session Initiation Protocol (SIP) Software could allow an unauthenticated, remote attacker toโฆ
๐จ CVE-2025-65203
KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials.
๐@cveNotify
KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials.
๐@cveNotify
GitHub
Security Issue on iframe attribute and CSP document directive 'sandbox' ยท Issue #2647 ยท keepassxreboot/keepassxc-browser
Summary KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker...
๐ฅ1
๐จ CVE-2024-20357
A vulnerability in the XML service of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to initiate phone calls on an affected device.
This vulnerability exists because bounds-checking does not occur while parsing XML requests. An attacker could exploit this vulnerability by sending a crafted XML request to an affected device. A successful exploit could allow the attacker to initiate calls or play sounds on the device.
๐@cveNotify
A vulnerability in the XML service of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to initiate phone calls on an affected device.
This vulnerability exists because bounds-checking does not occur while parsing XML requests. An attacker could exploit this vulnerability by sending a crafted XML request to an affected device. A successful exploit could allow the attacker to initiate calls or play sounds on the device.
๐@cveNotify
Cisco
Cisco Security Advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system.
For more information about theseโฆ
For more information about theseโฆ
๐จ CVE-2024-20376
A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a DoS condition.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the affected device to reload.
๐@cveNotify
A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a DoS condition.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the affected device to reload.
๐@cveNotify
Cisco
Cisco Security Advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system.
For more information about theseโฆ
For more information about theseโฆ
๐จ CVE-2024-20378
A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device.
This vulnerability is due to a lack of authentication for specific endpoints of the web-based management interface on an affected device. An attacker could exploit this vulnerability by connecting to the affected device. A successful exploit could allow the attacker to gain unauthorized access to the device, enabling the recording of user credentials and traffic to and from the affected device, including VoIP calls that could be replayed.
๐@cveNotify
A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device.
This vulnerability is due to a lack of authentication for specific endpoints of the web-based management interface on an affected device. An attacker could exploit this vulnerability by connecting to the affected device. A successful exploit could allow the attacker to gain unauthorized access to the device, enabling the recording of user credentials and traffic to and from the affected device, including VoIP calls that could be replayed.
๐@cveNotify
Cisco
Cisco Security Advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system.
For more information about theseโฆ
For more information about theseโฆ
๐จ CVE-2024-20445
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability is due to improper storage of sensitive information within the web UI of Session Initiation Protocol (SIP)-based phone loads. An attacker could exploit this vulnerability by browsing to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information, including incoming and outgoing call records.
Note: Web Access is disabled by default.
๐@cveNotify
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability is due to improper storage of sensitive information within the web UI of Session Initiation Protocol (SIP)-based phone loads. An attacker could exploit this vulnerability by browsing to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information, including incoming and outgoing call records.
Note: Web Access is disabled by default.
๐@cveNotify
Cisco
Cisco Security Advisory: Cisco 7800, 8800, and 9800 Series Phones Information Disclosure Vulnerability
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability is dueโฆ
This vulnerability is dueโฆ
๐จ CVE-2025-8093
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8.
๐@cveNotify
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8.
๐@cveNotify
Drupal.org
Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098
This module allows users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module did not protect all possible login paths provided by core modules. CVSS risk score (experimental) 6.3 / Medium CVSS:4.0/AV:โฆ
๐จ CVE-2025-9549
Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
๐@cveNotify
Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
๐@cveNotify
Drupal.org
Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099
This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently check access to entities when they are displayed as facets. This vulnerability is mitigated by the fact that only sites that show facets withโฆ
๐จ CVE-2024-29905
DIRAC is an interware, meaning a software framework for distributed computing. Prior to version 8.0.41, during the proxy generation process (e.g., when using `dirac-proxy-init`), it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then perform any action that is possible with the original proxy. This vulnerability only exists for a short period of time (sub-millsecond) during the generation process. Version 8.0.41 contains a patch for the issue. As a workaround, setting the `X509_USER_PROXY` environment variable to a path that is inside a directory that is only readable to the current user avoids the potential risk. After the file has been written, it can be safely copied to the standard location (`/tmp/x509up_uNNNN`).
๐@cveNotify
DIRAC is an interware, meaning a software framework for distributed computing. Prior to version 8.0.41, during the proxy generation process (e.g., when using `dirac-proxy-init`), it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then perform any action that is possible with the original proxy. This vulnerability only exists for a short period of time (sub-millsecond) during the generation process. Version 8.0.41 contains a patch for the issue. As a workaround, setting the `X509_USER_PROXY` environment variable to a path that is inside a directory that is only readable to the current user avoids the potential risk. After the file has been written, it can be safely copied to the standard location (`/tmp/x509up_uNNNN`).
๐@cveNotify
GitHub
Merge pull request from GHSA-v6f3-gh5h-mqwx ยท DIRACGrid/DIRAC@1faa709
[v8.0] Ensure proxy files are always written securely
๐จ CVE-2024-22423
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2024.04.09 fixes this issue by properly escaping `%`. It replaces them with `%%cd:~,%`, a variable that expands to nothing, leaving only the leading percent. It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using `--exec`, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade, avoid using any output template expansion in `--exec` other than `{}` (filepath); if expansion in `--exec` is needed, verify the fields you are using do not contain `"`, `|` or `&`; and/or instead of using `--exec`, write the info json and load the fields from it instead.
๐@cveNotify
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2024.04.09 fixes this issue by properly escaping `%`. It replaces them with `%%cd:~,%`, a variable that expands to nothing, leaving only the leading percent. It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using `--exec`, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade, avoid using any output template expansion in `--exec` other than `{}` (filepath); if expansion in `--exec` is needed, verify the fields you are using do not contain `"`, `|` or `&`; and/or instead of using `--exec`, write the info json and load the fields from it instead.
๐@cveNotify
GitHub
[core] Prevent RCE when using `--exec` with `%q` (CVE-2023-40581) ยท yt-dlp/yt-dlp@de015e9
The shell escape function is now using `""` instead of `\"`. `utils.Popen` has been patched to properly quote commands.
Prior to this fix using `--exec` together with `%...
Prior to this fix using `--exec` together with `%...
๐จ CVE-2024-4439
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
๐@cveNotify
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
๐@cveNotify
core.trac.wordpress.org
Changeset 57951 โ WordPress Trac
Blog Tool and Publishing Platform
๐จ CVE-2025-9552
Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules: *.*.
๐@cveNotify
Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules: *.*.
๐@cveNotify
Drupal.org
Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-ownerโฆ
๐จ CVE-2025-13733
BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoNTFS: 1.3.2.
๐@cveNotify
BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoNTFS: 1.3.2.
๐@cveNotify
Fluidattacks
BuhoNTFS 1.3.2 - Local Privilege Escalation | Fluid Attacks
CVE-2025-13733: BuhoNTFS 1.3.2 - Insecure XPC service allows local unprivileged users to escalate privileges to root.
๐จ CVE-2024-24576
Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected.
The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument.
On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted.
One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution.
Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process.
The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic.
๐@cveNotify
Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected.
The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument.
On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted.
One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution.
Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process.
The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic.
๐@cveNotify
๐จ CVE-2024-31452
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3.
๐@cveNotify
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3.
๐@cveNotify
GitHub
Merge pull request from GHSA-8cph-m685-6v6r ยท openfga/openfga@b6a6d99
* fix: error handling leading to false positives
* test: add a failing test due to Check and ListObjects differences
* test: change test expectation for ListObjects assertion
* fix: union CheckF...
* test: add a failing test due to Check and ListObjects differences
* test: change test expectation for ListObjects assertion
* fix: union CheckF...
๐จ CVE-2024-34199
TinyWeb 1.94 and below allows unauthenticated remote attackers to cause a denial of service (Buffer Overflow) when sending excessively large elements in the request line.
๐@cveNotify
TinyWeb 1.94 and below allows unauthenticated remote attackers to cause a denial of service (Buffer Overflow) when sending excessively large elements in the request line.
๐@cveNotify
GitHub
GitHub - DMCERTCE/PoC_Tiny_Overflow: Proof-of-concept for overflow and resulting memory leak in TinyWeb 1.94
Proof-of-concept for overflow and resulting memory leak in TinyWeb 1.94 - DMCERTCE/PoC_Tiny_Overflow