Shuang Li

**Name of the Vulnerable Software and Affected Versions** 201206030 novel version 3.5.0 **Description** A DOM-based Cross-Site Scripting (XSS) issue exists in the book comment module due to insufficient validation and encoding of user-controllable data. Unfiltered input is stored in the `commentContent` field of the `book comment` table and returned via an API, where it is rendered into the page DOM using the Vue 3 `v-html` directive without sanitization. Remote attackers can execute arbitrary JavaScript code or disclose sensitive information, such as user session cookies, by using a crafted `wvstest` parameter in the URL or injecting malicious scripts into `window.localStorage`. Attackers may use concealed payloads to bypass browser-based XSS filters. **Recommendations** For version 3.5.0, sanitize all user-controllable data before rendering it via the `v-html` directive and implement strict validation for the `wvstest` parameter. As a temporary workaround, restrict the use of the book comment module or disable the `v-html` directive for user-generated content until a permanent fix is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.18.0-496.el8.x86 64 **Description** The issue is related to a problem in the TIPC decryption path where crypto requests might return asynchronously, leading to a potential crash if a refcount is not forced on the skb's destination entry before entering the xfrm type input/output handlers. The `skb dst force()` function should be called before doing decryption to avoid this issue. This problem was reported by Shuang when a specific warning was triggered. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for this problem. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `tipc crypto rcv complete()` function in the Linux kernel, which is vulnerable to a use-after-free error. This occurs because the original `skb` is freed in `tipc msg validate()`, and dereferencing the old `skb` cb would cause a crash. The vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference crash was reported in the Linux kernel. The issue occurs when a bc packet is received before the bc link is created, causing a dereference of a NULL pointer in the `tipc link is up()` function. This happens due to a gap between the insertion of a new node into the hashtable and the creation of the bc link. The crash is triggered when the `tipc bcast rcv()` function is called with a NULL pointer. **Recommendations** To resolve this issue, apply the patch that moves the bc link creation before inserting the node into the hashtable. This ensures that the bc link is created before any bc packets are received, preventing the NULL pointer dereference crash. Note: The exact version of the Linux kernel that contains the fix for this issue is not specified.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel's tipc component can cause a kernel panic when enabling a bearer on a node. This occurs due to a null-pointer dereference in the `tipc mon prep()` function, which is called by `tipc link build proto msg()` and `tipc link build state msg()`. The issue arises when the monitoring pointer in one thread is dereferenced before the monitoring data is allocated in another thread. This vulnerability can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.16.0-rc4+ **Description** The vulnerability is related to a memory corruption issue in the `ets qdisc change()` function of the `sch ets` component. This issue can cause a kernel bug, leading to a crash when a specific script is executed. The script involves adding and changing traffic control disciplines using the `tc` command. The vulnerability can be exploited to cause a denial of service. **Recommendations** To resolve this issue, update the Linux kernel to a version later than 5.16.0-rc4+. As a temporary workaround, consider disabling the `sch ets` module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A crash could be triggered in the Linux kernel by repeating certain commands, specifically modprobe tipc, tipc bearer enable media udp, and rmmod tipc. This issue occurs when the TIPC module is removed, and the UDP tunnel sock is delayed to release in a work queue. The work queue function cleanup beareri() code no longer exists when trying to invoke it, leading to a kernel crash. The patch introduces a member wq count in tipc net to track the numbers of work queues in schedule and waits for all work queues to be done in tipc exit net(). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.12.0-rc6+ **Description** The vulnerability is related to a stack out-of-bounds read in the `sch frag` function when fragmenting IPv4 packets. This occurs when `act mirred` tries to fragment IPv4 packets that had been previously re-assembled using `act ct`. The issue arises from the use of a temporary `struct dst entry` in `sch fragment()`, which is then used as a pointer to `struct rtable` in the call graph, leading to an out-of-bounds read in the stack. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, the fix involves changing the temporary variable used for IPv4 packets in `sch fragment()`, similar to what is done for IPv6. As a temporary workaround, consider disabling the `sch fragment()` function until a patch is available. However, this may have significant performance implications and should be carefully considered based on specific system requirements and constraints. At the moment, there is no information about a newer version that contains a fix for this vulnerability, other than ensuring the kernel is updated beyond version 5.12.0-rc6+.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.12.0-rc7+ **Description** The vulnerability is related to a wild memory access issue when clearing fragments while testing re-assembly/re-fragmentation using act ct. This can cause a crash and potentially lead to "wild" memory accesses later when the rbtree is purged. The issue occurs when act ct temporarily stores an IP fragment and restoring the skb qdisc cb results in putting random data in FRAG CB(). **Recommendations** To resolve the issue, update the Linux kernel to a version later than 5.12.0-rc7+. As a temporary workaround, consider disabling the `tcf ct handle fragments()` function until a patch is available. Restrict access to the vulnerable module `act ct` to minimize the risk of exploitation. Avoid using the `FRAG CB()` variable in the affected API endpoint until the issue is resolved.