Out-of-bounds read vulnerability exists in TELLUS v4.0.15.0 and TELLUS Lite v4.0.15.0. Opening a specially crafted V8 file may lead to information disclosure and/or arbitrary code execution.

Published:2023/06/08  Last Updated:2023/06/08

**Overview**

Fuji Electric V-Server, V-Server Lite, TELLUS, and TELLUS Lite contain multiple vulnerabilities.

**Products Affected**

**CVE-2023-31239**

*   V-Server v4.0.15.0 and earlier
*   V-Server Lite v4.0.15.0 and earlier

**CVE-2023-32538, CVE-2023-32273, CVE-2023-32201**

*   TELLUS v4.0.15.0 and earlier
*   TELLUS Lite v4.0.15.0 and earlier

**CVE-2023-32288**

*   TELLUS v4.0.15.0 and earlier
*   TELLUS Lite v4.0.15.0 and earlier

**CVE-2023-32276, CVE-2023-32270, CVE-2023-32542**

*   TELLUS v4.0.15.0 and earlier
*   TELLUS Lite v4.0.15.0 and earlier

**Description**

Multiple vulnerabilities listed below exist in the simulator module and the remote monitoring software 'V-Server Lite' and 'V-Server' contained in the graphic editor 'V-SFT', and the remote monitoring software 'TELLUS' and 'TELLUS Lite' provided by FUJI ELECTRIC CO., LTD.

*   **Stack-based buffer overflow in V-Serve, V-Server Lite (CWE-121)** - CVE-2023-31239
    
    CVSS v3
    
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    
    **Base Score: 7.8**
    
*   **Stack-based buffer overflow in TELLUS, TELLUS Lite (CWE-121)** - CVE-2023-32538, CVE-2023-32273, CVE-2023-32201
    
    CVSS v3
    
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    
    **Base Score: 7.8**
    
*   **Out-of-bounds read in TELLUS, TELLUS Lite (CWE-125)** - CVE-2023-32288
    
    CVSS v3
    
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    
    **Base Score: 7.8**
    
*   **Stack-based buffer overflow in TELLUS, TELLUS Lite (CWE-121)** - CVE-2023-32276
    
    CVSS v3
    
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    
    **Base Score: 7.8**
    
*   **Access of memory location after end of buffer in TELLUS, TELLUS Lite (CWE-788)** - CVE-2023-32270
    
    CVSS v3
    
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    
    **Base Score: 7.8**
    
*   **Out-of-bounds read in TELLUS, TELLUS Lite (CWE-125)** - CVE-2023-32542
    
    CVSS v3
    
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    
    **Base Score: 7.8**
    

**Impact**

**CVE-2023-31239**  
Opening a specially crafted VPR file may lead to arbitrary code execution.

**CVE-2023-32538, CVE-2023-32273, CVE-2023-32201**  
Opening a specially crafted SIM2 file may lead to information disclosure and/or arbitrary code execution.

**CVE-2023-32288**  
Opening a specially crafted SIM file may lead to information disclosure and/or arbitrary code execution.

**CVE-2023-32276, CVE-2023-32270, CVE-2023-32542**  
Opening a specially crafted V8 file may lead to information disclosure and/or arbitrary code execution.

**Solution**

**Update the software**  
Update the software to the latest version according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

Michael Heinzl reported these vulnerabilities to JPCERT/CC.  
JPCERT/CC coordinated with the developer.

**Other Information**

CVE-2023-32542: Multiple vulnerabilities in Fuji Electric products

A buffer overflow in Nintendo Mario Kart Wii RMCP01, RMCE01, RMCJ01, and RMCK01 can be exploited by a game client to execute arbitrary code on a client's machine via a crafted packet.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Mario Kart Wii Remote Code Execution**

Injects arbitrary code into a client's game.

**Assembling**

    powerpc-gekko-as.exe mario_kart_wii_remote_code_execution.S -o mario_kart_wii_remote_code_execution.elf
    powerpc-eabi-objcopy.exe -O binary mario_kart_wii_remote_code_execution.elf mario_kart_wii_remote_code_execution.bin
    

**Usage**

Branch to the compiled assembly code from the appropriate address. After the assembly code has finished executing, redirect code execution to the instruction following the original branch instruction.

**License**

GNU General Public License v2.0

CVE-2023-35856: GitHub - MikeIsAStar/Mario-Kart-Wii-Remote-Code-Execution: Injects arbitrary code into a client's game.

A buffer overflow in Counter-Strike through 8684 allows a game server to execute arbitrary code on a remote client's machine by modifying the lservercfgfile console variable.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-35855: GitHub - MikeIsAStar/Counter-Strike-Remote-Code-Execution: Injects arbitrary code into a client's game.

Nanopb before 0.3.1 allows size_t overflows in pb_dec_bytes and pb_dec_string.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Protect against size\_t overflows in pb\_dec\_bytes/pb\_dec\_string.

Possible consequences of bug:
1) Denial of service by causing a crash
   Possible when all of the following apply:
      - Untrusted data is passed to pb\_decode()
      - The top-level message contains a static string field as the first field.
   Causes a single write of '0' byte to 1 byte before the message struct.

2) Remote code execution
   Possible when all of the following apply:
      - 64-bit platform
      - The message or a submessage contains a static/pointer string field.
      - Decoding directly from a custom pb\_istream\_t
      - bytes\_left on the stream is set to larger than 4 GB
   Causes a write of up to 4 GB of data past the string field.

3) Possible heap corruption or remote code execution
   Possible when all of the following apply:
      - less than 64-bit platform
      - The message or a submessage contains a pointer-type bytes field.
   Causes a write of sizeof(pb\_size\_t) bytes of data past a 0-byte long
   malloc()ed buffer. On many malloc() implementations, this causes at
   most a crash. However, remote code execution through a controlled jump
   cannot be ruled out.

--

Detailed analysis follows

In the following consideration, I define "platform bitness" as equal to
number of bits in size\_t datatype. Therefore most 8-bit platforms are
regarded as 16-bit for the purposes of this discussion.

1. The overflow in pb\_dec\_string

The overflow happens in this computation:

uint32\_t size;
size\_t alloc\_size;
alloc\_size = size + 1;

There are two ways in which the overflow can occur: In the uint32\_t
addition, or in the cast to size\_t. This depends on the platform
bitness.

On 32- and 64-bit platforms, the size has to be UINT32\_MAX for the
overflow to occur. In that case alloc\_size will be 0.

On 16-bit platforms, overflow will happen whenever size is more than
UINT16\_MAX, and resulting alloc\_size is attacker controlled.

For static fields, the alloc\_size value is just checked against the
field data size. For pointer fields, the alloc\_size value is passed to
malloc(). End result in both cases is the same, the storage is 0 or
just a few bytes in length.

On 16-bit platforms, another overflow occurs in the call to pb\_read(),
when passing the original size. An attacker will want the passed value
to be larger than the alloc\_size, therefore the only reasonable choice
is to have size = UINT16\_MAX and alloc\_size = 0. Any larger multiple
will truncate to the same values.

At this point we have read atleast the tag and the string length of the
message, i.e. atleast 3 bytes. The maximum initial value for stream
bytes\_left is SIZE\_MAX, thus at this point at most SIZE\_MAX-3 bytes are
remaining.

On 32-bit and 16-bit platforms this means that the size passed to
pb\_read() is always larger than the number of remaining bytes. This
causes pb\_read() to fail immediately, before reading any bytes.

On 64-bit platforms, it is possible for the bytes\_left value to be set
to a value larger than UINT32\_MAX, which is the wraparound point in
size calculation. In this case pb\_read() will succeed and write up to 4
GB of attacker controlled data over the RAM that comes after the string
field.

On all platforms, there is an unconditional write of a terminating null
byte. Because the size of size\_t typically reflects the size of the
processor address space, a write at UINT16\_MAX or UINT32\_MAX bytes
after the string field actually wraps back to before the string field.
Consequently, on 32-bit and 16-bit platforms, the bug causes a single
write of '0' byte at one byte before the string field.

If the string field is in the middle of a message, this will just
corrupt other data in the message struct. Because the message contents
is attacker controlled anyway, this is a non-issue. However, if the
string field is the first field in the top-level message, it can
corrupt other data on the stack/heap before it. Typically a single '0'
write at a location not controlled by attacker is enough only for a
denial-of-service attack.

When using pointer fields and malloc(), the attacker controlled
alloc\_size will cause a 0-size allocation to happen. By the same logic
as before, on 32-bit and 16-bit platforms this causes a '0' byte write
only. On 64-bit platforms, however, it will again allow up to 4 GB of
malicious data to be written over memory, if the stream length allows
the read.

2. The overflow in pb\_dec\_bytes

This overflow happens in the PB\_BYTES\_ARRAY\_T\_ALLOCSIZE macro:

The computation is done in size\_t data type this time. This means that
an overflow is possible only when n is larger than SIZE\_MAX -
offsetof(..). The offsetof value in this case is equal to
sizeof(pb\_size\_t) bytes.

Because the incoming size value is limited to 32 bits, no overflow can
happen here on 64-bit platforms.

The size will be passed to pb\_read(). Like before, on 32-bit and 16-bit
platforms the read will always fail before writing anything.

This leaves only the write of bdest->size as exploitable. On statically
allocated fields, the size field will always be allocated, regardless
of alloc\_size. In this case, no buffer overflow is possible here, but
user code could possibly use the attacker controlled size value and
read past a buffer.

If the field is allocated through malloc(), this will allow a write of
sizeof(pb\_size\_t) attacker controlled bytes to past a 0-byte long
buffer. In typical malloc implementations, this will either fit in
unused alignment padding area, or cause a heap corruption and a crash.
Under very exceptional situation it could allow attacker to influence
the behaviour of malloc(), possibly jumping into an attacker-controlled
location and thus leading to remote code execution.

*   Loading branch information

CVE-2014-125106: Protect against size_t overflows in pb_dec_bytes/pb_dec_string. · nanopb/nanopb@d2099cc

A stack-based buffer overflow issue was found in ImageMagick's coders/tiff.c. This flaw allows an attacker to trick the user into opening a specially crafted malicious tiff file, causing an application to crash, resulting in a denial of service.

Expand Up

@@ -2001,6 +2001,11 @@ static Image \*ReadTIFFImage(const ImageInfo \*image\_info,

if (HeapOverflowSanityCheck(rows,sizeof(\*tile\_pixels)) != MagickFalse)

ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");

extent=MagickMax(rows\*TIFFTileRowSize(tiff),TIFFTileSize(tiff));

#if defined(TIFF\_VERSION\_BIG)

extent+=image->columns\*sizeof(uint64);

#else

extent+=image->columns\*sizeof(uint32);

#endif

tile\_pixels=(unsigned char \*) AcquireQuantumMemory(extent,

sizeof(\*tile\_pixels));

if (tile\_pixels == (unsigned char \*) NULL)

Expand Down

CVE-2023-3195: fix stack overflow when parsing malicious tiff image · ImageMagick/ImageMagick@f620340

A heap-based buffer overflow issue was discovered in ImageMagick's ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the user in opening specially crafted file, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.

'2214148?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-34474: Invalid Bug ID

TP-Link Archer AX10(EU)_V1.2_230220 was discovered to contain a buffer overflow via the function FUN_131e8 - 0x132B4.

\# Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)\_V1.2\_230220

\# Exploit Author: Giuseppe Compare

\# Date : 26/05/2023

\# CVE: CVE-2023-34832

\# Vendor Homepage: https://www.tp-link.com/

\# Version: TP-Link Archer AX10(EU)\_V1.2\_230220

Buffer Overflow

There is a buffer overflow in the FUN\_131e8 function due to using sprintf improperly, detailed in line 47-49

memset(&DAT\_000283a4,0,0x800);

sprintf(&DAT\_000283a4,"echo \\'\[ %s \] %d: get OCN v6plus rules begin\\n \\' > /dev/console", "https\_get\_rules\_OCN",0x3c3); system(&DAT\_000283a4);

//line 47-49

sprintf((char \*)&local\_428, "https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==" ,param\_2 + 0x23,param\_2\[0x2d\]);

The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow.

Remediation

Guarantee that storage for strings has sufficient space for character data and the null terminator.

Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf\_s() and variants.

Double check that your buffer is as large as you specify.

Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.

CVE-2023-34832: CVE-2023-34832 : Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions.

TP-Link Archer AX10(EU)\_V1.2\_230220 Buffer Overflow

Posted Jun 16, 2023

Authored by Giuseppe Compare

TP-Link Archer version AX10(EU)\_V1.2\_230220 suffers from a buffer overflow vulnerability.

tags | advisory, overflow

Download | Favorite | View

QuickJob Portal 6.1 Cross Site Scripting

Posted Jun 16, 2023

Authored by CraCkEr

QuickJob Portal version 6.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

Download | Favorite | View

Quicklancer Freelance Marketplace 2.4 Cross Site Scripting

Posted Jun 16, 2023

Authored by CraCkEr

Quicklancer Freelance Marketplace version 2.4 suffers from a cross site scripting vulnerability.

tags | exploit, xss

Download | Favorite | View

QuickHomes Real Estate CMS 1.3 Cross Site Scripting

Posted Jun 16, 2023

Authored by CraCkEr

QuickHomes Real Estate CMS version 1.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

Download | Favorite | View

Debian Security Advisory 5431-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5431-1 - Xu Biang discovered that missing input sanitizing in Sofia-SIP, a SIP User-Agent library could result in denial of service.

tags | advisory, denial of service

systems | linux, debian

Download | Favorite | View

Ubuntu Security Notice USN-6156-2

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6156-2 - USN-6156-1 fixed a vulnerability in SSSD. In certain environments, not all packages ended up being upgraded at the same time, resulting in authentication failures when the PAM module was being used. This update fixes the problem. It was discovered that SSSD incorrectly sanitized certificate data used in LDAP filters. When using this issue in combination with FreeIPA, a remote attacker could possibly use this issue to escalate privileges.

tags | advisory, remote

systems | linux, ubuntu

Download | Favorite | View

Debian Security Advisory 5430-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5430-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

tags | advisory, java, denial of service, vulnerability, info disclosure

systems | linux, debian

Download | Favorite | View

Red Hat Security Advisory 2023-3644-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

tags | advisory

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3645-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service

systems | linux, redhat

Download | Favorite | View

Ubuntu Security Notice USN-6169-1

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6169-1 - It was discovered that GNU SASL's GSSAPI server could make an out-of-bounds reads if given specially crafted GSS-API authentication data. A remote attacker could possibly use this issue to cause a denial of service or to expose sensitive information.

tags | advisory, remote, denial of service

systems | linux, ubuntu

Download | Favorite | View

Red Hat Security Advisory 2023-3641-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3641-01 - This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. Issues addressed include denial of service, deserialization, resource exhaustion, and server-side request forgery vulnerabilities.

tags | advisory, denial of service, vulnerability

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3642-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.

tags | advisory, denial of service, spoof, vulnerability, xss

systems | linux, redhat

Download | Favorite | View

Debian Security Advisory 5429-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5429-1 - Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer which could result in denial of service or the execution of arbitrary code.

tags | advisory, denial of service, arbitrary, vulnerability, protocol

systems | linux, debian

Download | Favorite | View

Ubuntu Security Notice USN-6168-1

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6168-1 - Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.

tags | advisory, remote, denial of service

systems | linux, ubuntu

Download | Favorite | View

Debian Security Advisory 5428-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5428-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

tags | advisory, denial of service, arbitrary, info disclosure

systems | linux, debian

Download | Favorite | View

Red Hat Security Advisory 2023-3622-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3622-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, denial of service, information leakage, insecure permissions, and resource exhaustion vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, csrf

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3624-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

tags | advisory, web, denial of service

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3623-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3623-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. These new packages include numerous enhancements and bug fixes. Issues addressed include cross site scripting and denial of service vulnerabilities.

tags | advisory, denial of service, vulnerability, xss

systems | linux, redhat

Download | Favorite | View

Ubuntu Security Notice USN-6155-2

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6155-2 - USN-6155-1 fixed a vulnerability in Requests. This update provides the corresponding update for Ubuntu 16.04 ESM and 18.04 ESM. Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.

tags | advisory, remote

systems | linux, ubuntu

Download | Favorite | View

Suricata IDPE 6.0.13

Posted Jun 16, 2023

Site suricata.io

Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.

Changes: 1 security fix, 11 bug fixes, 1 task, and 2 documentation updates.

tags | tool, intrusion detection

systems | unix

Download | Favorite | View

Debian Security Advisory 5427-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5427-1 - An anonymous researcher discovered that processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited. An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

tags | advisory, web, arbitrary, code execution

systems | linux, debian, apple

Download | Favorite | View

Red Hat Security Advisory 2023-3610-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3610-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, memory exhaustion, and resource exhaustion vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, xss, csrf

systems | linux, redhat

Download | Favorite | View

Textpattern CMS 4.8.8 Command Injection

Posted Jun 16, 2023

Authored by tmrswrr

Textpattern CMS version 4.8.8 suffers from a command injection vulnerability.

tags | exploit

Download | Favorite | View

WordPress Abandoned Cart Lite For WooCommerce 5.14.2 Authentication Bypass

Posted Jun 16, 2023

Authored by ayantaker | Site github.com

WordPress Abandoned Cart Lite for WooCommerce plugin versions 5.14.2 and below proof of concept authentication bypass exploit.

tags | exploit, proof of concept, bypass

Download | Favorite | View

Red Hat Security Advisory 2023-3609-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3609-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

tags | advisory

systems | linux, redhat

Download | Favorite | View

CVE-2023-30223: Packet Storm

TP-Link Archer version AX10(EU)_V1.2_230220 suffers from a buffer overflow vulnerability.

    # Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220# Exploit Author: Giuseppe Compare# Date : 26/05/2023# CVE: CVE-2023-34832# Vendor Homepage: https://www.tp-link.com/# Version: TP-Link Archer AX10(EU)_V1.2_230220Buffer OverflowThere is a buffer overflow in the FUN_131e8 function due to using sprintf improperly, detailed in line 47-49memset(&DAT_000283a4,0,0x800);sprintf(&DAT_000283a4,"echo \'[ %s ] %d: get OCN v6plus rules begin\n \' > /dev/console", "https_get_rules_OCN",0x3c3); system(&DAT_000283a4); //line 47-49sprintf((char *)&local_428, "https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==" ,param_2 + 0x23,param_2[0x2d]);The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow.RemediationGuarantee that storage for strings has sufficient space for character data and the null terminator.Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf_s() and variants.Double check that your buffer is as large as you specify.Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.

TP-Link Archer AX10(EU)_V1.2_230220 Buffer Overflow

A Huawei sound box product has an out-of-bounds write vulnerability. Attackers can exploit this vulnerability to cause buffer overflow. Affected product versions include:FLMG-10 versions FLMG-10 10.0.1.0(H100SP22C00).

A Huawei sound box product has an out-of-bounds write vulnerability. Attackers can exploit this vulnerability to cause buffer overflow. (Vulnerability ID:HWPSIRT-2022-61463)

This vulnerability has been assigned a (CVE) ID: CVE-2022-48330

  

Affected Product(R&D)

Affected Version

Repair Version

FLMG-10

FLMG-10 10.0.1.0(H100SP22C00)

FLMG-10 3.0.0.40(H100SP19C00)

HWPSIRT-2022-61463:  
Successful exploitation could lead to a buffer overflow.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.  
HWPSIRT-2022-61463  
Base Score: 7.5  
Temporary Score: 7.0  
Environmental Score: NA  
CVSS v3.1 Vector: AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-61463:  
This vulnerability can be exploited only when the following conditions are present:  
The attacker and the target device are in the adjacent network domain and can access the target device.  
Technical details:

An out-of-bounds write vulnerability exists in a Huawei sound box product. This vulnerability is caused because the Bluetooth module does not fully verify external packets. An attacker can send packets in a specific format to the device to trigger the vulnerability and cause buffer overflow.An attacker can trigger a vulnerability by sending packets in a specific format to the device to cause buffer overflow.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

HWPSIRT-2022-61463:  
Vulnerability information is provided by Yan Han, Qu Lewei, and Ke Dongxiang of Baidu AIoT Security Team. Thanks for their attention to Huawei product security.

2023-03-01 V1.0 Initial Release

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Tag

#buffer_overflow