Headline
CVE-2021-21945: TALOS-2021-1374 || Cisco Talos Intelligence Group
Two heap-based buffer overflow vulnerabilities exist in the TIFF parser functionality of Accusoft ImageGear 19.10. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger these vulnerabilities. Placeholder
Summary
Two heap-based buffer overflow vulnerabilities exist in the TIFF parser functionality of Accusoft ImageGear 19.10. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger these vulnerabilities.
Tested Versions
Accusoft ImageGear 19.10
Product URLs
ImageGear - https://www.accusoft.com/products/imagegear-collection/
CVSSv3 Score
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-122 - Heap-based Buffer Overflow
Details
The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.
When a TIFF file, with specific tag requirements, is loaded, its data are parsed by the FUN_10074d50 function.
The essential tags required to reach this “parser”:
- The value of the SamplesPerPixel tag, greater than 2
- The value of the BitsPerSample tag should be
0xc(we will focus on this, but different values are parsed by the same function) - The value of the PlanarConfiguration tag should be 2
- The presence of either TileOffsets or StripOffsets tag with
Ngreater than 1
The funtion FUN_10074d50:
dword __cdecl
FUN_10074d50(uint ID_TIF_SAMPLES_PER_PIXEL,int sample_index,uint ID_TIF_BITS_PER_SAMPLE,
int ID_TIF_IMAGE_WIDTH,byte *src_buff,void *dest_buff,size_t source_size)
{
[...]
if (true) {
switch(ID_TIF_BITS_PER_SAMPLE) {
[...]
case 0xc:
alternate_branch = false;
loop_index = 0;
width_index = ID_TIF_IMAGE_WIDTH;
if (0 < ID_TIF_IMAGE_WIDTH) {
do {
if (0 < (int)ID_TIF_SAMPLES_PER_PIXEL) {
ID_TIF_BITS_PER_SAMPLE = ID_TIF_SAMPLES_PER_PIXEL;
do {
if (alternate_branch) {
if (alternate_branch) {
curren_src_byte_cur = src_buff + loop_index;
loop_index_+1 = loop_index + 1;
loop_index = loop_index + 2;
*(ushort *)((int)dest_buff + sample_index * 2) =
CONCAT11(*curren_src_byte_cur,src_buff[loop_index_+1]) & 0xfff; [1]
sample_index = sample_index + ID_TIF_SAMPLES_PER_PIXEL;
alternate_branch = false;
}
}
else {
*(ushort *)((int)dest_buff + sample_index * 2) =
(ushort)(src_buff[loop_index + 1] >> 4) |
(ushort)src_buff[loop_index] << 4; [2]
sample_index = sample_index + ID_TIF_SAMPLES_PER_PIXEL;
loop_index = loop_index + 1;
alternate_branch = true;
}
[...]
}
In this function the src_buff, which represents a “row” of data, is copied into the dest_buff. This function implements the data parsing for the supported BitsPerSample values. When BitsPerSample is 0xc the copy of the data is perfomed in a loop iterated SamplesPerPixel times. For every two iterations, there is a writing pattern where for each 3 bytes read from src_buff, there are 4 written into dest_buff. That loop is then iterated ImageWidth times.
The idea is that 16 bits (i.e., 2 bytes) of dest_buff are filled with 12 bits of src_buff. At [2] the first 12 bits of the source are manipulated, and the remaining 12, in order to complete 3 bytes read, are manipulated at [1]. It is important to note that the acess to dest_buff is not sequential, but instead, it is calculated using sample_index as base offset, incremented each iteration by SamplesPerPixel, a value taken from the homonymous TIFF tag.
The call to FUN_10074d50 is originated by the TIFF_parse function, the “main” TIFF parser:
void TIFF_parse(mys_table_function *param_1,uint param_2,mys_tags_data *TIFF_tags,undefined4 param_4
,HIGDIBINFO param_5,subsapling_Y_Cb_Cr *YCbCr_subsamp)
{
[...]
dst_buff = (byte *)0x0;
width_buff_size = 0;
local_c = 0;
multipler = (byte *)0x0;
arr_of_dest_buff = (byte **)0x0;
if (*(ushort *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL == 0) {
AF_err_record_set("..\\..\\..\\..\\Common\\Formats\\tifread.c",0x1793,-0x80d,0,0,0,(LPCHAR)0x0);
AF_error_check();
return;
}
io_buff = (io_buffer *)
AF_memm_alloc(param_2,(uint)*(ushort *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL * 0x34);
if (io_buff == (io_buffer *)0x0) {
AF_err_record_set("..\\..\\..\\..\\Common\\Formats\\tifread.c",0x1799,-1000,0,0,0,(LPCHAR)0x0);
AF_error_check();
return;
}
src_buff = (byte **)AF_memm_alloc(param_2,(uint)*(ushort *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL <<
2);
if (src_buff == (byte **)0x0) {
sample_per_pixel_index = 0x17a1;
lpExtraText_00 = src_buff;
}
else {
OS_memset(src_buff,0,(uint)*(ushort *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL << 2);
lpExtraText_00 =
(byte **)AF_memm_alloc(param_2,(uint)*(ushort *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL << 2);
if (lpExtraText_00 != (byte **)0x0) {
if (TIFF_tags->ID_TIF_PHOTO_INTERP == IG_TIF_PHOTO_YCBCR) {
[...]
}
else {
LAB_10177d86:
if (TIFF_tags->ID_TIF_PLANAR_CONFIG == 1) {
[...]
}
else {
if (TIFF_tags->ID_TIF_PLANAR_CONFIG == 2) {
if (TIFF_tags->ID_TIF_PHOTO_INTERP == IG_TIF_PHOTO_YCBCR) {
[...]
}
else {
sample_per_pixel_index = 0;
if (*(short *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL != 0) {
do {
loop_index = sample_per_pixel_index + 1;
iVar1 = (int)*(short *)((TIFF_tags->ID_TIF_BITS_PER_SAMPLE - 2) + loop_index * 2)
* TIFF_tags->ID_TIF_IMAGE_WIDTH + 7;
lpExtraText_00[sample_per_pixel_index] =
(byte *)((int)(iVar1 + (iVar1 >> 0x1f & 7U)) >> 3); [3]
sample_per_pixel_index = loop_index;
} while (loop_index < (int)(uint)*(ushort *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL);
}
width_buff_size = IO_raster_size_get(param_5);
dst_buff = (byte *)AF_memm_alloc(param_2,width_buff_size); [4]
if (dst_buff == (byte *)0x0) {
AF_err_record_set("..\\..\\..\\..\\Common\\Formats\\tifread.c",0x1843,-1000,0,
param_2,width_buff_size,(LPCHAR)0x0);
goto LAB_10178379;
}
}
dVar3 = 0;
sample_size_index = 0;
piVar4 = io_buff;
if (*(short *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL != 0) {
do {
dVar2 = IOb_init(param_1,param_2,piVar4,(int)lpExtraText_00[sample_size_index] * 5,1
); [5]
if (0 < (int)dVar2) {
dVar3 = 1;
local_c = 1;
break;
}
sample_size_index = sample_size_index + 1;
piVar4 = (io_buffer *)&piVar4->size_buffer;
} while (sample_size_index <
(int)(uint)*(ushort *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL);
}
sample_per_pixel_index = 0;
param_5 = (HIGDIBINFO)0x0;
for (local_18 = 0;
(dVar3 == 0 &&
(local_18 < (int)TIFF_tags->from_ID_TIF_STRIP_OFFSET_or_ID_TIF_TILE_OFFSETS));
local_18 = local_18 + 1) {
if ((TIFF_tags->ID_TIF_TILE_OFFSETS != 0) &&
(*(short *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL != 0)) {
iVar1 = 0;
piVar4 = io_buff;
do {
perform_some_read_or_write_intofile
(piVar4,*(int *)(TIFF_tags->ID_TIF_TILE_OFFSETS +
(TIFF_tags->
result_strip_tile_offset_divided_sample_per_pixel *
iVar1 + local_18) * 4) + TIFF_tags->IFD_Offset,0,0); [6]
iVar1 = iVar1 + 1;
piVar4 = (io_buffer *)&piVar4->size_buffer;
dVar3 = local_c;
sample_per_pixel_index = (int)param_5;
} while (iVar1 < (int)(uint)*(ushort *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL);
}
local_28 = 0;
if (0 < (int)TIFF_tags->ID_TIF_ROWS_PER_STRIP) {
do {
local_c = dVar3;
if ((int)TIFF_tags->ID_TIF_IMAGE_HEIGHT <= sample_per_pixel_index) break;
iVar1 = 0;
sample_per_pixel_index = (int)param_5;
if (TIFF_tags->ID_TIF_PHOTO_INTERP == IG_TIF_PHOTO_YCBCR) {
[...]
}
else {
piVar4 = io_buff;
if (*(short *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL != 0) {
do {
vert_buff = (byte *)get_data_from_file(piVar4,(uint)*lpExtraText_00);
src_buff[iVar1] = vert_buff;
if (vert_buff == (byte *)0x0) {
AF_err_record_set("..\\..\\..\\..\\Common\\Formats\\tifread.c",0x1887,
-0x803,0,(AT_INT)*lpExtraText_00,0,(LPCHAR)0x0);
dVar3 = dVar3 + 1;
break;
}
iVar1 = iVar1 + 1;
piVar4 = (io_buffer *)&piVar4->size_buffer;
} while (iVar1 < (int)(uint)*(ushort *)&TIFF_tags->ID_TIF_SAMPLES_PER_PIXEL);
}
local_c = dVar3;
if (dVar3 != 0) break;
FUN_1017c970(TIFF_tags,param_4,src_buff,lpExtraText_00,dst_buff); [7]
[...]
}
This function is responsible for preparing the src_buff and dest_buff and calling the correct TIFF “sub-parser”. At [5], SamplesPerPixel buffers are allocated, each with size calcualted at [3]. These buffers, in this specific scenario, are the same sizes, and each individually will be used as src_buff. The size of a src_buff is:
src_size = (((BitsPerSample & 0xffff) * width + 7) >> 3) * 5
Eventually, at [6] these buffers are filled.
At [4] the dest_buff is allocated, using as size the return value of the function IO_raster_size_get. The return value of IO_raster_size_get, in this specific case, can be simplified as:
dest_size = (((next_mult_of_8_of_BitsPerSample * SamplesPerPixel * ImageWidth) + 0x1f) >> 3) & 0xfffffffc
Where ImageWidth and SamplesPerPixel correspond to the homonymous TIFF tags. Instead, next_mult_of_8_of_BitsPerSample is the next multiple of 8 of BitsPerSample. That is, like the other two, a value directly taken from a TIFF tag.
The TIFF_parse then calls at [7] the FUN_1017c970 function, that essentially calls FUN_10074d50 with each dest_buff and sample_index, the variable used as base offset to access the src_buff that goes from 0 to SamplesPerPixel.
CVE-2021-21944 - TIFF parser - planar format. First 12 bits
A specially-crafted TIFF file can lead to a heap-based buffer overflow in the TIFF image parser, due to a missing boundary check.
Trying to load a malicious TIFF file, we end up in the following situation:
(dcc.182c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000036 ebx=00000007 ecx=0bd58e08 edx=00000414 esi=000000fc edi=0bd5eef0
eip=70104f1f esp=0019f588 ebp=0019f5ac iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
igCore19d!IG_mpi_page_set+0x8eef:
70104f1f 66891471 mov word ptr [ecx+esi*2],dx ds:002b:0bd59000=????
This access violation take place at [2] in the FUN_10074d50 function, when trying to copy the first 12 bits from src_buff to dest_buff.
From the allocation of src_buff and dest_buff, in the TIFF_parse, to [2], the program does not check, taking into account the writing pattern used, a possible out-of-bounds access.
For example:
sample_index = 0
ImageWidth = 0x24
SamplesPerPixel = 0x7
BitsPerSample = 0xc
We will obtain a dest_size of 0x1f8 and src_size of 0x10e.
At the fifth iteration of the outer loop in FUN_10074d50 (i.e., ImageWidth loop iteration 5) and the first of the inner one (i.e., SamplesPerPixel loop iteration 1) the element accessed at that iteration would be:
(sample_index + SamplesPerPixel*SamplesPerPixel) * width_iteration +
sample_index + (sample_per_pixel_iteration * SamplesPerPixel) =
(0 + 7 * 7) * 5 + (0 + 1 * 7) = 0xfc
Because the dest_size is a 16 bits buffer, the element 0xfc is located at offset 0x1f8 and 0x1f9, and because the dest_size is only 0x1f8 bytes long we are accessing that heap buffer out-of-bound.
So based on the specific TIFF tags, the dest_buff could be bigger or smaller than a single src_buff. In either case a heap-base buffer oveflow could occur due to the specific writting pattern and the missing boundary check.
CVE-2021-21945 - TIFF parser - planar format. Second 12 bits
Trying to load a malicious TIFF file, we end up in the following situation:
(22a8.1bbc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000006 ebx=00000007 ecx=0bd28fe0 edx=00000141 esi=00000015 edi=0bd48ff0
eip=6f3b4efd esp=0019f588 ebp=0019f5ac iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
igCore19d!IG_mpi_page_set+0x8ecd:
6f3b4efd 66891471 mov word ptr [ecx+esi*2],dx ds:002b:0bd2900a=????
This access violation takes place at [1] in the FUN_10074d50 function, when trying to copy the second 12 bits from src_buff to dest_buff.
From the allocation of src_buff and dest_buff, in the TIFF_parse, to [1], the program does not check, taking into account the writing pattern used, a possible out-of-bounds access.
For example with:
sample_index = 0
ImageWidth = 0x4
SamplesPerPixel = 0x7
BitsPerSample = 0xc
We will obtain a dest_size of 0x38 and src_size of 0x1e
At the first iteration of the outer loop in FUN_10074d50 (i.e., ImageWidth loop iteration 0) and the fourth one of the inner one (i.e., SamplesPerPixel loop iteration 4) the element accessed at that iteration would be:
(sample_index + SamplesPerPixel*SamplesPerPixel) * width_iteration +
sample_index + (sample_per_pixel_iteration * SamplesPerPixel) =
7 * 4 = 0x1c
Because the dest_size is a 16 bits buffer, the element 0x1c is located at offset 0x38 and 0x39 and because the dest_size is only 0x38 bytes long we are accessing that heap buffer out-of-bound.
Timeline
2021-09-10 - Initial contact
2021-09-14 - Vendor acknowledged and created support ticket
2021-09-21 - Vendor closed support ticket and confirmed under review with engineering team
2021-11-30 - 60 day follow up
2021-12-02 - Vendor advised release planned for Q1 2022
2021-12-07 - 30 day disclosure extension granted
2022-01-06 - Final disclosure notification
2022-02-23 - Public disclosure
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
An issue in upload.csp of FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows attackers to write files and reset the user passwords without having a valid session cookie.
A vulnerability has been discovered in Moxa MGate which allows an attacker to perform a man-in-the-middle (MITM) attack on the device. This affects MGate MB3170 Series Firmware Version 4.2 or lower. and MGate MB3270 Series Firmware Version 4.2 or lower. and MGate MB3280 Series Firmware Version 4.1 or lower. and MGate MB3480 Series Firmware Version 3.2 or lower.
LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present). Both issues require an attacker to be able to login to LAM admin interface. The issue is fixed in version 7.9.1.
Nyron 1.0 is affected by a SQL injection vulnerability through Nyron/Library/Catalog/winlibsrch.aspx. To exploit this vulnerability, an attacker must inject '"> on the thes1 parameter.
A denial of service vulnerability exists in the parseNormalModeParameters functionality of MZ Automation GmbH libiec61850 1.5.0. A specially-crafted series of network requests can lead to denial of service. An attacker can send a sequence of malformed iec61850 messages to trigger this vulnerability.
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.
Irzip v0.640 was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control.
stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode.
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
**Why is Attack Complexity marked as High for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.
Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected.
Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no known workarounds for this issue.
GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.
Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no workarounds for this problem.
An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
An authentication bypass vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. A specially-crafted HTTP request can lead to unauthorized access. An attacker can send an HTTP request to trigger this vulnerability.
A SQL injection vulnerability exists in the HelpdeskEmailActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
An SQL injection vulnerability exists in the EchoAssets.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
A denial of service vulnerability exists in the cgiserver.cgi Upgrade API functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
An out-of-bounds write vulnerability exists in the parse_raster_data functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
An out-of-bounds read vulnerability exists in the RS-274X aperture macro multiple outline primitives functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.7.1 and 2.8.0. A specially-crafted Gerber file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
An SQL injection vulnerability exists in the AssetActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
An information disclosure vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. Network sniffing can lead to a disclosure of sensitive information. An attacker can sniff network traffic to exploit this vulnerability.
An out-of-bounds read vulnerability exists in the IOCTL GetProcessCommand and B_03 of Webroot Secure Anywhere 21.4. A specially-crafted executable can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability. An out-of-bounds read vulnerability exists in the IOCTL GetProcessCommand and B_03 of Webroot Secure Anywhere 21.4. An IOCTL_B03 request with specific invalid data causes a similar issue in the device driver WRCore_x64. An attacker can issue an ioctl to trigger this vulnerability.
An out-of-bounds write vulnerability exists in the OTA update task functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted MQTT payload can lead to denial of service. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
A stored cross-site scripting vulnerability exists in the WebUserActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.
An authentication bypass vulnerability exists in the device password generation functionality of Swift Sensors Gateway SG3-1010. A specially-crafted network request can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.
An out-of-bounds read vulnerability exists in the RS-274X aperture macro outline primitive functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit d7f42a9a). A specially-crafted Gerber file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
A heap-based buffer overflow vulnerability exists in the sphere.c start_read() functionality of Sound Exchange libsox 14.4.2 and master commit 42b3557e. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.
An issue was discovered in Amazon AWS VPN Client 2.0.0. A TOCTOU race condition exists during the validation of VPN configuration files. This allows parameters outside of the AWS VPN Client allow list to be injected into the configuration file prior to the AWS VPN Client service (running as SYSTEM) processing the file. Dangerous arguments can be injected by a low-level user such as log, which allows an arbitrary destination to be specified for writing log files. This leads to an arbitrary file write as SYSTEM with partial control over the files content. This can be abused to cause an elevation of privilege or denial of service.
A blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) extension of MA prior to 5.7.6 can be exploited by an authenticated administrator on ePO to perform arbitrary SQL queries in the back-end database, potentially leading to command execution on the server.
An XSS issue was discovered in COINS Construction Cloud 11.12. Due to insufficient neutralization of user input in the description of a task, it is possible to store malicious JavaScript code in the task description. This is later executed when it is reflected back to the user.
** UNSUPPORTED WHEN ASSIGNED ** A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. A crafted input file can lead to remote code execution. This is not the same as any of: CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21828, CVE-2021-21829, or CVE-2021-21830. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc.
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c.
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.cc.
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc.
Sourcecodester Messaging Web Application 1.0 is vulnerable to stored XSS. If a sender inserts valid scripts into the chat, the script will be executed on the receiver chat.
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_subselect.cc.