The putty SCP command-line utility (pscp) is missing a bounds-check for a stack buffer when processing the SCP-SINK file-size response to a SCP download request. This may allow a malicious server to overwrite the stack buffer within the client- application potentially leading to remote code execution.
The vulnerability stems from Exim in versions below 4.86.2 not performing sanitization of the environment before loading a perl script defined with perl_startup setting in exim config. To perform the attack, attacker can take advantage of the exim's sendmail interface which links to an exim binary that has an SUID bit set on it by default. The attacker can then create a malicious perl script and set it as the perl_startup variable in exim config. When the exim binary is executed with the SUID bit set, it will load the malicious perl script and execute it with root privileges.
WP Advanced Comment 0.10 plugin does not have XSS protection, which means that an attacker can change the POST request , value of 'name='comment[meta_value]' ' parameter , it's not escaped . XSS is visible for admin.
The variable can be passed in using a get as well as a post. An attacker could send unsuspecting authenticated admin a url crafted like such: http://wwww.victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist&s=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E or they can send a form (no CSRF token check) <form method="post" action="http://victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist"><input type="hidden" name="s" value="<script>alert(1);</script>"><input type="submit" name="Search IP" value="Click here to claim your prize!"></form> and it would execute XSS as long as they were logged in to the site.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Nitro PDF 10 (10.5.7.32). User interaction is required to exploit this vulnerability in that the target must open a malicious file. A specially crafted PDF with a specific FunctionType 0 and an invalid /Domain key can cause a stack-based buffer overflow, resulting in arbitrary code execution.
A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE setsockopt in the netfilter code for iptables support. This setsockopt is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset, leading to an out of bounds 32-bit write in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value. Furthermore, a recent refactoring of this codepath introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption.
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes when presented a buggy USB device using the aiptek driver.
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB device requiring the cdc_acm driver. The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo (github.com/schumilo) using the following device descriptor. This is the configuration descriptor containing only one interface descriptor. The cdc-acm driver assumes that there will be at least two interface- descriptors with associated endpoint-descriptors. Since the cdc-acm driver is expecting a second interface descriptor, the driver tries to dereference a null-pointer. This results in a crash of the system.
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB device which requires the requiring the cypress_m8 driver. The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo (github.com/schumilo) using the following device descriptor: [bLength: 0x12, bDescriptorType: 0x1, bcdUSB: 0x200, bDeviceClass: 0x3, bDeviceSubClass: 0x0, bDeviceProtocol: 0x0, bMaxPacketSize: 0x40, idVendor: 0x4b4, idProduct: 0x5500, bcdDevice: 0x100, iManufacturer: 0x1, iProduct: 0x2, iSerialNumbers: 0x3, bNumConfigurations: 0x1]. This is the configuration descriptor containing only one interrupt-endpoint-descriptor (IN-direction). The cypress_m8 driver assumes that there will be at least two endpoint-descriptors configured for interrupt-transfer and each used for one direction. Since there is no sanity check, it is possible that the kernel tries to dereference a null-pointer. This results in a crash of the system.
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB device requiring the mct_u232_m8 driver. The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo (github.com/schumilo) using the following device descriptor: [bLength: 0x12, bDescriptorType: 0x1, bcdUSB: 0x200, bDeviceClass: 0x3, bDeviceSubClass: 0x0, bDeviceProtocol: 0x0, bMaxPacketSize: 0x40, idVendor: 0x50d, idProduct: 0x109, bcdDevice: 0x100, iManufacturer: 0x1, iProduct: 0x2, iSerialNumbers: 0x3, bNumConfigurations: 0x1]. This is the configuration descriptor containing only one interrupt-endpoint-descriptor (IN-direction). The mct_u232 driver assumes that there will be at least two endpoint-descriptors configured as interrupt-in. Since there is no sanity check, it is possible that the kernel tries to dereference a null-pointer. This results in a crash of the system.
Services By CQR