Joseph

**Nome do Software Vulnerável e Versões Afetadas** Linux kernel (versões afetadas não especificadas) **Descrição** Ocorre um vazamento de memória no sistema de arquivos ext4 dentro da função `ext4 fc replay inode()`. A função chama `ext4 get fc inode loc()` para obter a localização do inode, o que cria uma referência a `iloc.bh` que deve ser liberada via `brelse()`. No entanto, certos caminhos de erro — especificamente falhas em `ext4 handle dirty metadata()`, `sync dirty buffer()`, `ext4 mark inode used()` e `ext4 iget()` — saltam para o rótulo de saída sem liberar `iloc.bh`. Além disso, a função `ext4 fc replay inode()` não propaga os erros corretamente, retornando 0 independentemente do resultado. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha a correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** PHP Toolkit versions prior to 1.0.1 **Description** The issue is related to an interpretation conflict in the PHP Toolkit that could allow local users to cause a denial of service and read the contents of PHP scripts. This is achieved by creating a file with a one-letter lowercase alphabetic name, which triggers the interpretation of a certain unquoted `[a-z]` argument as a matching shell glob for this name, rather than as the literal `[a-z]` regular-expression string. As a result, the launch of the PHP interpreter within the Apache HTTP Server is blocked. **Recommendations** For PHP Toolkit versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phphelpdesk version 0.6.16 **Description** A SQL injection issue exists in the login page, allowing remote attackers to execute arbitrary SQL commands. This is related to the login procedures, though specific parameters are not specified. **Recommendations** For phphelpdesk version 0.6.16, update to a newer version that contains a fix for this issue, as using outdated software can pose significant security risks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OneOrZero Helpdesk versions 1.6.4.2 through 1.6.5.4 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary web script or HTML via XSS sequences without SCRIPT tags in the `description` parameter to (1) "tcreate.php" or (2) "tupdate.php". This can be achieved using events such as `onmouseover` in a `b` tag. **Recommendations** For OneOrZero Helpdesk versions 1.6.4.2 through 1.6.5.4, consider disabling the `stripScripts` function in common.php until a patch is available, and restrict access to the "tcreate.php" and "tupdate.php" endpoints to minimize the risk of exploitation. Avoid using the `description` parameter in these endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Minb Is Not a Blog (minb) (affected versions not specified) **Description** The issue allows remote attackers to download a database containing usernames and encrypted passwords via a direct request for 'db/users.db'. This is due to the storage of sensitive information under the web root with insufficient access control. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.