Tristan Madani

**Name of the Vulnerable Software and Affected Versions** Tinyproxy versions prior to 1.11.3 commit 09312a1 **Description** Improper validation of the `Host` header during stathost detection allows unauthenticated attackers to access the statistics page by injecting a matching `Host` header or bypassing detection through port manipulation. This can lead to unauthorized access to internal proxy statistics or the misrouting of requests as transparent proxy connections to circumvent access controls. **Recommendations** Update to the version containing commit 09312a1.

**Name of the Vulnerable Software and Affected Versions** Tinyproxy versions prior to 1.11.4 **Description** Tinyproxy fails to reject requests containing multiple `Content-Length` headers with differing values. The software forwards all duplicate headers to the backend but uses only the first value to determine the number of request body bytes to consume. This behavior allows remote attackers to desynchronize the proxy and backend parser state, leading to HTTP Request Smuggling. This technique enables the injection of arbitrary HTTP requests to the backend, which can result in cache poisoning, access control bypass, and request hijacking. **Recommendations** Update to the version containing commit 364cdb6.

**Name of the Vulnerable Software and Affected Versions** Tinyproxy versions prior to commit ff45d3b **Description** Tinyproxy fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine the number of request body bytes to consume. This allows remote attackers to desynchronize the proxy and backend parser state, enabling the injection of arbitrary HTTP requests to the backend. This can lead to cache poisoning, access control bypass, and request hijacking. This issue is a form of HTTP Request Smuggling, where a discrepancy in how different servers interpret the end of a request allows a second request to be smuggled through. **Recommendations** Update to the version containing commit ff45d3b.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.11.1 **Description** A pre-authentication denial of service issue exists in the SSH MSG EXT INFO handler within `src/packet.c`. A malicious SSH server can trigger a CPU exhaustion loop on the client by sending a crafted extension count value. Specifically, by setting `nr extensions` to 0xFFFFFFFF during key exchange, the client enters a tight CPU loop for over 60 seconds because return values from the ` libssh2 get string()` function are unchecked and session timeouts do not apply to CPU-bound loops. **Recommendations** Update to the version containing commit 1762685.

**Name of the Vulnerable Software and Affected Versions** Evil-WinRM versions prior to commit 6ecd570 **Description** A path traversal issue exists in the `download dir()` function. This occurs when the software fails to sanitize filenames returned from the `Get-ChildItem` command output before passing them to `File.join()`. A compromised or rogue remote Windows server can return filenames containing traversal sequences, enabling the server to write files outside the intended download directory on the client machine. This can be used to overwrite sensitive files, such as SSH authorized keys or shell configuration files, potentially leading to privilege escalation or persistent access on the client system. **Recommendations** Update to the version containing commit 6ecd570. As a temporary workaround, restrict the use of the `download dir()` function when connecting to untrusted remote servers.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to commit 7acf3df **Description** An out-of-bounds write occurs in the `ssh2 transport read()` function because it fails to enforce upper bounds on the `packet length` field. Remote attackers can send crafted SSH packets with excessively large `packet length` values to corrupt heap memory, potentially leading to remote code execution. **Recommendations** Update to the version containing commit 7acf3df.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** Parsing arbitrary HTML that is subsequently rendered using the `Render` function can lead to the creation of an unexpected HTML tree. This behavior can be exploited to perform Cross-Site Scripting (XSS) attacks—a technique where malicious scripts are injected into trusted websites—specifically in applications that attempt to sanitize input HTML before the rendering process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** An Insecure Direct Object Reference (IDOR) exists where the '/ccm/frontend/conversations/get rating' endpoint confirms the existence of and returns the rating score for any message by ID. IDOR is a type of access control flaw that occurs when an application uses user-supplied input to access objects directly. **Recommendations** Update to a version newer than 9.5.0. As a temporary workaround, restrict access to the '/ccm/frontend/conversations/get rating' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.5.0 and earlier **Description** An Insecure Direct Object Reference (IDOR), which occurs when an application provides direct access to objects based on user-supplied input, exists in the Express Entry Detail block. By manipulating the `exEntryID` parameter, unauthorized users can gain access to all Express form submissions. **Recommendations** Update Concrete CMS to a version later than 9.5.0. As a temporary workaround, restrict access to the Express Entry Detail block or avoid using the `exEntryID` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 151 Firefox ESR versions prior to 140.11 Thunderbird versions prior to 151 Thunderbird versions prior to 140.11 **Description** A denial-of-service issue exists in the Audio/Video: Web Codecs component caused by an invalid pointer. **Recommendations** Update to version 151. Update to version 140.11. Update to version 151. Update to version 140.11.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 18.7.9 iOS versions prior to 26.5 iPadOS versions prior to 18.7.9 iPadOS versions prior to 26.5 macOS Sequoia versions prior to 15.7.7 macOS Sonoma versions prior to 14.8.7 macOS Tahoe versions prior to 26.5 tvOS versions prior to 26.5 watchOS versions prior to 26.5 **Description** A race condition occurs when the system attempts to perform two or more operations at the same time, but the operations are executed in an unexpected order. This issue allows an app to cause unexpected system termination. **Recommendations** Update iOS to version 18.7.9 or 26.5 Update iPadOS to version 18.7.9 or 26.5 Update macOS Sequoia to version 15.7.7 Update macOS Sonoma to version 14.8.7 Update macOS Tahoe to version 26.5 Update tvOS to version 26.5 Update watchOS to version 26.5

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 26.5 iPadOS versions prior to 26.5 macOS Tahoe versions prior to 26.5 tvOS versions prior to 26.5 visionOS versions prior to 26.5 watchOS versions prior to 26.5 **Description** Processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling. **Recommendations** Update iOS to version 26.5. Update iPadOS to version 26.5. Update macOS Tahoe to version 26.5. Update tvOS to version 26.5. Update visionOS to version 26.5. Update watchOS to version 26.5.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** Parsing a WEBP image with an invalid, large size causes a panic on 32-bit platforms. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions prior to 2.4.67 **Description** A heap-based buffer overflow exists in the `mod proxy ajp` module. If `mod proxy ajp` connects to a malicious AJP server, that server can send a crafted AJP message causing the system to write four attacker-controlled bytes beyond the end of a heap-based buffer, leading to memory corruption. **Recommendations** Upgrade to version 2.4.67.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.5.2 **Description** The issue is related to a use-after-free vulnerability in the `vc do resize` function, located in `drivers/tty/vt/vt.c`, which can lead to the disclosure of protected information or cause a denial of service. This vulnerability is associated with the improper use of memory after it has been freed. **Recommendations** For Linux kernel versions through 5.5.2, update to a version later than 5.5.2 to resolve the issue. As a temporary workaround, consider restricting access to the `vc do resize` function in the `drivers/tty/vt/vt.c` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.5.2 **Description** The issue is related to a use-after-free vulnerability in the `n tty receive buf common` function in `drivers/tty/n tty.c`. This vulnerability may allow an attacker to disclose protected information or cause a denial of service. **Recommendations** For Linux kernel versions through 5.5.2, update to a version newer than 5.5.2 to resolve the issue. As a temporary workaround, consider restricting access to the `n tty receive buf common` function in `drivers/tty/n tty.c` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.5.2 **Description** The issue is related to a use-after-free vulnerability in the vgacon invert region function, located in drivers/video/console/vgacon.c. This vulnerability may allow an attacker to disclose protected information or cause a denial of service. **Recommendations** For Linux kernel versions through 5.5.2, update to a version newer than 5.5.2 to resolve the issue. As a temporary workaround, consider restricting access to the vgacon invert region function in drivers/video/console/vgacon.c until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 5.4.0-rc2 **Description** The issue is related to a use-after-free (read) in the ` blk add trace` function, which is used to fill out a `blk io trace` structure and place it in a per-cpu sub-buffer. This can potentially allow a remote attacker to cause a denial of service. **Recommendations** For Linux kernel version 5.4.0-rc2, consider disabling the ` blk add trace` function as a temporary workaround until a patch is available. Restrict access to the `blktrace.c` module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel version 5.3.10 Description: The issue is related to a use-after-free in the `perf trace lock acquire` function, which can lead to a denial of service. Additionally, there is a possible out of bounds write due to a use after free in the ` locks wake up blocks` function of `locks.c`, which could result in local escalation of privilege with no additional execution privileges needed. User interaction is not required for exploitation. Recommendations: For Linux kernel version 5.3.10, consider disabling the `perf trace lock acquire` function as a temporary workaround until a patch is available. Restrict access to the `locks.c` module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.