Weekly Vulnerabilities Reports > December 26, 2022 to January 1, 2023

Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History.

A vulnerability was found in valtech IDP Test Client and classified as problematic.

NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands.

TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.

A vulnerability was found in challenge website.

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

authentik is an open-source Identity Provider focused on flexibility and versatility.

CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.

A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 allows a low-privileged database user to execute arbitrary SQL commands as the database administrator, resulting in execution of arbitrary code.

M-Link Archive Server in Isode M-Link R16.2v1 through R17.0 before R17.0v24 allows non-administrative users to access and manipulate archive data via certain HTTP endpoints, aka LINK-2867.

A deserialization flaw was discovered in jackson-databind through 2.9.10.4.

fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows physically proximate attackers to dump the firmware, flash custom malicious firmware, and brick the device via the Serial Wire Debug (SWD) feature.

NVIDIA Trusted OS contains a vulnerability in an SMC call handler, where failure to validate untrusted input may allow a highly privileged local attacker to cause information disclosure and compromise integrity.

NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can access or modify system files or other files that are critical to the application, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure.

NVIDIA Control Panel for Windows contains a vulnerability where an unauthorized user or an unprivileged regular user can compromise the security of the software by gaining privileges, reading sensitive information, or executing commands.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, data tampering, or information disclosure.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow in index validation may lead to denial of service, information disclosure, or data tampering.

NVIDIA vGPU Display Driver for Linux guest contains a vulnerability in a D-Bus configuration file, where an unauthorized user in the guest VM can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where an input index is not validated, which may lead to buffer overrun, which in turn may cause data tampering, information disclosure, or denial of service.

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where an input index is not validated, which may lead to buffer overrun, which in turn may cause data tampering, information disclosure, or denial of service.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause the use of an out-of-range pointer offset, which may lead to data tampering, data loss, information disclosure, or denial of service.

NVIDIA GPU Display Driver for Windows contains a vulnerability where a regular user can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

NVIDIA distributions of Linux contain a vulnerability in nvdla_emu_task_submit, where unvalidated input may allow a local attacker to cause stack-based buffer overflow in kernel code, which may lead to escalation of privileges, compromised integrity and confidentiality, and denial of service.

A vulnerability has been found in Modbus Tools Modbus Slave up to 7.5.1 and classified as critical.

A vulnerability was found in Modbus Tools Modbus Poll up to 9.10.0 and classified as critical.

ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.

A vulnerability was found in centic9 jgit-cookbook.

LiuOS is a small Python project meant to imitate the functions of a regular operating system.

A remote code execution vulnerability exists in Rockwell Automation Studio 5000 Logix Emulate software.

Realtek Audio Drivers for Windows, as used on the Lenovo ThinkPad X1 Carbon 20A7, 20A8, 20BS, and 20BT before 6.0.8882.1 and 20KH and 20KG before 6.0.8907.1 (and on many other Lenovo and non-Lenovo products), mishandles DLL preloading.

The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection.

A vulnerability classified as problematic was found in Ziftr primecoin up to 0.8.4rc1.

A vulnerability was found in Multilaser RE708 RE1200R4GC-2T2R-V3_v3411b_MUL029B.

A vulnerability classified as problematic has been found in flar2 ElementalX up to 6.x.

An issue was discovered in WeCube Platform 3.2.2.

A vulnerability was found in rgb2hex up to 0.1.5.

A vulnerability was found in ghostlander Phoenixcoin.

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the SYSPS parameter at /goform/SysToolChangePwd.

A vulnerability, which was classified as problematic, was found in aerouk imageserve.

A vulnerability was found in Macaron csrf and classified as problematic.

Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive tokens from logs, if specific configurations were set.

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203.

Alpine is a scaffolding library in Java.

There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below.

Due to unchecked type assertions, maliciously crafted messages can cause panics, which may be used as a denial of service vector.

DNSSEC validation is not performed correctly.

XStream serializes Java objects to XML and back again.

Dragonfly is a Java runtime dependency management library.

The RemoteAddr and LocalAddr methods on the returned net.Conn may call themselves, leading to an infinite loop which will crash the program due to a stack overflow.

Token validation methods are susceptible to a timing side-channel during HMAC comparison.

Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector.

Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or v1.4.3 allow remote attackers to read files outside of the intended directory.

Due to improper santization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack.

The dag-pb codec can panic when decoding invalid blocks.

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines.

Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials.

Some Dahua software products have a vulnerability of using of hard-coded cryptographic key.

Some Dahua software products have a vulnerability of server-side request forgery (SSRF).

Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server.

A vulnerability has been found in Morgawr Muon 0.1.1 and classified as problematic.

A vulnerability, which was classified as problematic, has been found in cocagne pysrp up to 1.0.16.

A vulnerability was found in email-existence.

A vulnerability was found in RamseyK httpserver.

The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.

fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows an Unauthenticated Remote attacker to send a malicious firmware update via BLE and brick the device.

fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to cause a Denial of Service (device outage) via crafted choices of the last three bytes of a characteristic value.

Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.

SourceCodester Sanitization Management System 1.0 is vulnerable to SQL Injection.

Some Dahua software products have a vulnerability of unrestricted upload of file.

The Plugin Logic WordPress plugin before 1.0.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an off-by-one error may lead to data tampering or information disclosure.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an Integer overflow may lead to denial of service or information disclosure.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure or data tampering.

Improper Handling of Insufficient Permissions or Privileges in GitHub repository usememos/memos prior to 0.9.1.

StreamX applications from versions 6.02.01 to 6.04.34 are affected by a path traversal vulnerability that allows authenticated users to get unauthorized access to files on the server's filesystem.

There is an insufficient authentication vulnerability in some Huawei band products.

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router.Successful exploit could cause a denial of service (DoS) condition.

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

Elrond-GO is a go implementation for the Elrond Network protocol.

DNSSEC validation is not performed correctly.

Some Dahua software products have a vulnerability of unrestricted download of file.

A vulnerability was found in moodle-block_sitenews 1.0.

A vulnerability was found in dolibarr_project_timesheet up to 4.5.5.

A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2.

The Opera Mini application 47.1.2249.129326 for Android allows remote attackers to spoof the Location Permission dialog via a crafted web site.

In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the VideoStream function allows Path Traversal by authenticated users to access files stored outside of the web root.

authentik is an open-source Identity provider focused on flexibility and versatility.

An issue was discovered in WeCube Platform 3.2.2.

** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in SimpleSAMLphp simplesamlphp-module-openid.

A vulnerability, which was classified as problematic, has been found in admont28 Ingnovarq.

A vulnerability classified as problematic was found in Zenoss Dashboard up to 1.3.4.

An issue was discovered in WeCube platform 3.2.2.

The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to bypass an XSS protection mechanism.

Cross-site Scripting (XSS) - Stored in GitHub repository linagora/twake prior to 2023.Q1.1200+.

A vulnerability has been found in Yuna Scatari TBDev up to 2.1.17 and classified as problematic.

** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8.

A vulnerability was found in rf Keynote up to 0.x.

A vulnerability was found in Sterc Google Analytics Dashboard for MODX up to 1.0.5.

A vulnerability has been found in aerouk imageserve and classified as problematic.

** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de AdminServ.

** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de AdminServ.

A vulnerability, which was classified as problematic, has been found in Joget up to 7.0.33.

XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field.

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked which could execute arbitrary JavaScript code in the victim’s browser.

There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser.

A vulnerability, which was classified as problematic, has been found in w3c Unicorn.

A vulnerability classified as problematic has been found in Twitter-Post-Fetcher up to 17.x.

A vulnerability was found in HotCRP.

A vulnerability classified as problematic has been found in FlatPress.

A vulnerability classified as problematic was found in FlatPress.

A vulnerability, which was classified as problematic, has been found in FlatPress.

A vulnerability, which was classified as problematic, was found in JmPotato Pomash.

A vulnerability has been found in Catalyst-Plugin-Session up to 0.40 and classified as problematic.

A vulnerability was found in moappi Json2html up to 1.1.x and classified as problematic.

A vulnerability was found in FarCry Solr Pro Plugin up to 1.5.x.

A vulnerability, which was classified as problematic, was found in yolapi.

A vulnerability, which was classified as problematic, has been found in Harvest Chosen up to 1.8.6.

** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in gnuboard youngcart5 up to 5.4.5.1.

A vulnerability classified as critical has been found in Modern Tribe Panel Builder Plugin.

A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic.

A vulnerability was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x.

A vulnerability classified as problematic was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x.

A vulnerability classified as problematic was found in Nagios NCPA.

A vulnerability was found in FreePBX voicemail.

A vulnerability classified as problematic has been found in OpenMRS HTML Form Entry UI Framework Integration Module up to 1.x.

A vulnerability was found in FlatPress and classified as problematic.

Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter.

OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.

OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.

OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.

OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.

OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.

A vulnerability, which was classified as problematic, was found in InSTEDD Nuntium.

A vulnerability was found in OpenShift OSIN.

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server.

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause a null-pointer dereference, which may lead to denial of service.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unhandled return value can lead to a null-pointer dereference, which may lead to denial of service.

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler, where improper input validation of a display-related data structure may lead to denial of service.

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a null-pointer dereference, which may lead to denial of service.

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a null-pointer dereference occurs, which may lead to denial of service.

Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to execute JavaScript code in the context of other users' browsers.

Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

Gotify server is a simple server for sending and receiving messages in real-time per WebSocket.

Alpine is a scaffolding library in Java.

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

Incorrect Authorization in GitHub repository usememos/memos prior to 0.9.1.

A vulnerability was found in shred cilla.

A vulnerability was found in OpenMRS Appointment Scheduling Module up to 1.12.x.

A vulnerability has been found in Graphite Web and classified as problematic.

A vulnerability was found in Graphite Web and classified as problematic.

A vulnerability was found in Graphite Web.

A vulnerability classified as problematic has been found in Indeed Engineering util up to 1.0.33.

A vulnerability was found in ytti Oxidized Web.

A vulnerability was found in FreeBPX voicemail.

A vulnerability was found in IET-OU Open Media Player up to 1.5.0.

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.

OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked.

OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.

perfSONAR before 4.4.6, when performing participant discovery, incorrectly uses an HTTP request header value to determine a local address.

perfSONAR before 4.4.6 inadvertently supports the parse option for a file:// URL.

A vulnerability was found in pastebinit up to 0.2.2 and classified as problematic.

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input.

A vulnerability classified as problematic has been found in nsupdate.info.

Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key.

Some Dahua software products have a vulnerability of unauthenticated search for devices.

fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to change the time, date, and month via Bluetooth LE Characteristics on handle 0x0017.

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.

OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.

OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.

OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.

Incorrect implementation in authentication protocol in M-Files Client before 22.5.11356.0 allows high privileged user to get other users tokens to another resource.

PrimeKey EJBCA 7.9.0.2 Community allows stored XSS in the End Entity section.

The Broken Link Checker WordPress plugin before 1.11.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

A vulnerability classified as problematic was found in Nakiami Mellivora up to 2.1.x.

The Paytium: Mollie payment forms & donations WordPress plugin before 4.3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

A vulnerability was found in Talend Open Studio for MDM.

efs-utils is a set of Utilities for Amazon Elastic File System (EFS).

Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service.

Some Dahua software products have a vulnerability of unauthenticated traceroute host from remote DSS Server.

lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists.

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can cause exposure of sensitive information to an actor that is not explicitly authorized to have access to that information, which may lead to limited information disclosure.

** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic was found in cloudsync.

Some Dahua software products have a vulnerability of sensitive information leakage.