Amemoyoi

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5.

**Name of the Vulnerable Software and Affected Versions** arduino-esp32 versions prior to 3.3.8 **Description** A remotely reachable memory corruption issue exists in the NBNS packet handling path. When NetBIOS is enabled via the `NBNS.begin()` function, the device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled `name len` field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. **Recommendations** Update to version 3.3.8. As a temporary workaround, avoid calling the `NBNS.begin()` function to disable NetBIOS functionality.

**Name of the Vulnerable Software and Affected Versions** LinkAce versions prior to 2.5.3 **Description** LinkAce is a self-hosted archive for collecting website links. Versions before 2.5.3 prevent direct requests to private IP literals, but continue to make server-side requests to internal resources when referenced via an internal hostname. This allows an authenticated user to initiate server-side requests to internal services accessible by the LinkAce server, but not directly accessible from outside the network. The issue involves server-side request forgery, where an attacker can leverage the server to access internal resources. **Recommendations** Update to version 2.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** LinkAce versions prior to 2.5.3 **Description** LinkAce is a self-hosted archive for website links. Versions prior to 2.5.3 allow disclosure of a private note attached to a non-private link to another authenticated user through the web interface. The API correctly enforces note visibility, but the web link detail page does not apply equivalent filtering. An authenticated user permitted to view another user’s `internal` or `public` link can read that user’s `private` notes attached to the link. **Recommendations** Update to version 2.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** LIBPNG versions 1.6.36 through 1.6.55 **Description** An out-of-bounds read and write exists in the ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying if sufficient input pixels remain. Because the implementation operates backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer, leading to an out-of-bounds read, and writes expanded pixel data to those same underflowed positions, causing an out-of-bounds write. This issue is reachable through the normal decoding of attacker-controlled PNG input if Neon is enabled. **Recommendations** Update to version 1.6.56.