Updated by Github Bot

EXP-Tools · Oct 28, 2024 · fb4ffe9 · fb4ffe9
1 parent 3cf990e
commit fb4ffe9
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 81 deletions.
diff --git a/cache/Tenable (Nessus).dat b/cache/Tenable (Nessus).dat
@@ -122,3 +122,13 @@ d9719476d79694ee7d821c73d87e9b33
 1f779862d0961669d55291ac270dbb69
 14316d4906d95d389ddf87c58462978c
 70106e00d2a08844b0f30fb62527aad1
+5a13893a1a6c4fdce720193dc4855a7d
+11ae587bc37aa40d9b21be435a6b5430
+96627caaec935cb9aed3c8472a323177
+a5f4a0c6f18a9107ee1561ae19432d7c
+6bb7d979bb5cb3d0242348256e1633a2
+a36a2101fa80d6fdcd452ee7325fc99a
+ed44cfb0b046e9079b8967e1130ce6ff
+ce32608695c85a9fedf2a7f523db63a6
+c8cde1b1404a49f904b33bcf4db0763f
+bf0ac006759954e119f3c984e39ad4f9
diff --git a/data/cves.db b/data/cves.db
diff --git a/docs/index.html b/docs/index.html
@@ -1,4 +1,4 @@
-<!-- RELEASE TIME : 2024-10-28 03:32:50 -->
+<!-- RELEASE TIME : 2024-10-28 06:33:58 -->
 <html lang="zh-cn">
 
  <head>
@@ -283,6 +283,86 @@ <h2><a href="https://exp-blog.com" target="_blank">眈眈探求</a> | <a href="h
        <th width="43%">TITLE</th>
        <th width="5%">URL</th>
       </tr>
+      <tr>
+       <td>5a13893a1a6c4fdce720193dc4855a7d</td>
+       <td>CVE-2024-48936</td>
+       <td>2024-10-28 04:15:02 <img src="imgs/new.gif" /></td>
+       <td>SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running with --stepmgr, or on systems that have globally enabled stepmgr via SlurmctldParameters=enable_stepmgr in their configuration.</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-48936">详情</a></td>
+      </tr>
+
+      <tr>
+       <td>11ae587bc37aa40d9b21be435a6b5430</td>
+       <td>CVE-2024-10440</td>
+       <td>2024-10-28 03:15:02 <img src="imgs/new.gif" /></td>
+       <td>The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents.</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-10440">详情</a></td>
+      </tr>
+
+      <tr>
+       <td>96627caaec935cb9aed3c8472a323177</td>
+       <td>CVE-2024-10439</td>
+       <td>2024-10-28 03:15:02 <img src="imgs/new.gif" /></td>
+       <td>The eHRD CTMS from Sunnet has an Insecure Direct Object Reference (IDOR) vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to access arbitrary files uploaded by any user.</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-10439">详情</a></td>
+      </tr>
+
+      <tr>
+       <td>a5f4a0c6f18a9107ee1561ae19432d7c</td>
+       <td>CVE-2024-23843</td>
+       <td>2024-10-28 02:15:02 <img src="imgs/new.gif" /></td>
+       <td>Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Genians Genian NAC V5.0, Genians Genian NAC LTS V5.0.This issue affects Genian NAC V5.0: from V5.0.0 through V5.0.60; Genian NAC LTS V5.0: from 5.0.0 LTS through 5.0.55 LTS(Revision 125558), from 5.0.0 LTS through 5.0.56 LTS(Revision 125560).</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-23843">详情</a></td>
+      </tr>
+
+      <tr>
+       <td>6bb7d979bb5cb3d0242348256e1633a2</td>
+       <td>CVE-2024-50067</td>
+       <td>2024-10-28 01:15:02 <img src="imgs/new.gif" /></td>
+       <td>In the Linux kernel, the following vulnerability has been resolved: uprobe: avoid out-of-bounds memory access of fetching args Uprobe needs to fetch args into a percpu buffer, and then copy to ring buffer to avoid non-atomic context problem. Sometimes user-space strings, arrays can be very large, but the size of percpu buffer is only page size. And store_trace_args() won't check whether these data exceeds a single page or not, caused out-of-bounds memory access. It could be reproduced by following steps: 1. build kernel with CONFIG_KASAN enabled 2. save follow program as test.c ``` \#include <stdio.h> \#include <stdlib.h> \#include <string.h> // If string length large than MAX_STRING_SIZE, the fetch_store_strlen() // will return 0, cause __get_data_size() return shorter size, and // store_trace_args() will not trigger out-of-bounds access. // So make string length less than 4096. \#define STRLEN 4093 void generate_string(char *str, int n) { int i; for (i = 0; i < n; ++i) { char c = i % 26 + 'a'; str[i] = c; } str[n-1] = '\0'; } void print_string(char *str) { printf("%s\n", str); } int main() { char tmp[STRLEN]; generate_string(tmp, STRLEN); print_string(tmp); return 0; } ``` 3. compile program `gcc -o test test.c` 4. get the offset of `print_string()` ``` objdump -t test | grep -w print_string 0000000000401199 g F .text 000000000000001b print_string ``` 5. configure uprobe with offset 0x1199 ``` off=0x1199 cd /sys/kernel/debug/tracing/ echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" > uprobe_events echo 1 > events/uprobes/enable echo 1 > tracing_on ``` 6. run `test`, and kasan will report error. ================================================================== BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0 Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18 Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x27/0x310 kasan_report+0x10f/0x120 ? strncpy_from_user+0x1d6/0x1f0 strncpy_from_user+0x1d6/0x1f0 ? rmqueue.constprop.0+0x70d/0x2ad0 process_fetch_insn+0xb26/0x1470 ? __pfx_process_fetch_insn+0x10/0x10 ? _raw_spin_lock+0x85/0xe0 ? __pfx__raw_spin_lock+0x10/0x10 ? __pte_offset_map+0x1f/0x2d0 ? unwind_next_frame+0xc5f/0x1f80 ? arch_stack_walk+0x68/0xf0 ? is_bpf_text_address+0x23/0x30 ? kernel_text_address.part.0+0xbb/0xd0 ? __kernel_text_address+0x66/0xb0 ? unwind_get_return_address+0x5e/0xa0 ? __pfx_stack_trace_consume_entry+0x10/0x10 ? arch_stack_walk+0xa2/0xf0 ? _raw_spin_lock_irqsave+0x8b/0xf0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? depot_alloc_stack+0x4c/0x1f0 ? _raw_spin_unlock_irqrestore+0xe/0x30 ? stack_depot_save_flags+0x35d/0x4f0 ? kasan_save_stack+0x34/0x50 ? kasan_save_stack+0x24/0x50 ? mutex_lock+0x91/0xe0 ? __pfx_mutex_lock+0x10/0x10 prepare_uprobe_buffer.part.0+0x2cd/0x500 uprobe_dispatcher+0x2c3/0x6a0 ? __pfx_uprobe_dispatcher+0x10/0x10 ? __kasan_slab_alloc+0x4d/0x90 handler_chain+0xdd/0x3e0 handle_swbp+0x26e/0x3d0 ? __pfx_handle_swbp+0x10/0x10 ? uprobe_pre_sstep_notifier+0x151/0x1b0 irqentry_exit_to_user_mode+0xe2/0x1b0 asm_exc_int3+0x39/0x40 RIP: 0033:0x401199 Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206 RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2 RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0 RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20 R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040 R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000 </TASK> This commit enforces the buffer's maxlen less than a page-size to avoid store_trace_args() out-of-memory access.</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-50067">详情</a></td>
+      </tr>
+
+      <tr>
+       <td>a36a2101fa80d6fdcd452ee7325fc99a</td>
+       <td>CVE-2024-10435</td>
+       <td>2024-10-28 01:15:02 <img src="imgs/new.gif" /></td>
+       <td>A vulnerability was found in didi Super-Jacoco 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /cov/triggerEnvCov. The manipulation of the argument uuid leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-10435">详情</a></td>
+      </tr>
+
+      <tr>
+       <td>ed44cfb0b046e9079b8967e1130ce6ff</td>
+       <td>CVE-2024-10434</td>
+       <td>2024-10-28 01:15:02 <img src="imgs/new.gif" /></td>
+       <td>A vulnerability was found in Tenda AC1206 up to 20241027. It has been classified as critical. This affects the function ate_Tenda_mfg_check_usb/ate_Tenda_mfg_check_usb3 of the file /goform/ate. The manipulation of the argument arg leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-10434">详情</a></td>
+      </tr>
+
+      <tr>
+       <td>ce32608695c85a9fedf2a7f523db63a6</td>
+       <td>CVE-2024-50624</td>
+       <td>2024-10-28 00:15:03 <img src="imgs/new.gif" /></td>
+       <td>ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard.</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-50624">详情</a></td>
+      </tr>
+
+      <tr>
+       <td>c8cde1b1404a49f904b33bcf4db0763f</td>
+       <td>CVE-2024-50623</td>
+       <td>2024-10-28 00:15:03 <img src="imgs/new.gif" /></td>
+       <td>In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability.</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-50623">详情</a></td>
+      </tr>
+
+      <tr>
+       <td>bf0ac006759954e119f3c984e39ad4f9</td>
+       <td>CVE-2024-10433</td>
+       <td>2024-10-28 00:15:03 <img src="imgs/new.gif" /></td>
+       <td>A vulnerability was found in Project Worlds Simple Web-Based Chat Application 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument Name/Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions different parameters to be affected which do not correlate with the screenshots of a successful attack.</td>
+       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-10433">详情</a></td>
+      </tr>
+
       <tr>
        <td>44fd7285b1b6d4837d69bdd971556498</td>
        <td>CVE-2024-10408</td>
@@ -443,86 +523,6 @@ <h2><a href="https://exp-blog.com" target="_blank">眈眈探求</a> | <a href="h
        <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-48233">详情</a></td>
       </tr>
 
-      <tr>
-       <td>e41781926644e5b7e01708f59f0e98ae</td>
-       <td>CVE-2022-30268</td>
-       <td>2024-10-25 02:43:51</td>
-       <td>The affected products use the Winloader utility to manage firmware updates by serial port or a serial-over-Ethernet link that were found to not use authentication. This could allow an attacker to push malicious firmware images to the controller and cause a denial-of-service condition or allow remote code execution. This vulnerability only effects version of the CPE302, 205, and 310 that were produced before the "-Bxxx" hardware revisions.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2022-30268">详情</a></td>
-      </tr>
-
-      <tr>
-       <td>f6fa6284bf91bb1d0d0d60dd291680d2</td>
-       <td>CVE-2022-30265</td>
-       <td>2024-10-25 02:43:23</td>
-       <td>Control logic downloaded to the PLC, which can be either written in one of the IEC 61131-3 languages or written in C and supplied as an ELF binary block, is not cryptographically authenticated.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2022-30265">详情</a></td>
-      </tr>
-
-      <tr>
-       <td>fbaeb433df3a076886b57e9a767bb181</td>
-       <td>CVE-2024-5717</td>
-       <td>2024-10-25 02:41:57</td>
-       <td>This vulnerability allows remote attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the implementation of the HTTP API. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-5717">详情</a></td>
-      </tr>
-
-      <tr>
-       <td>7338bfcae89e47a36ac9c4d2f8348d6c</td>
-       <td>CVE-2024-5716</td>
-       <td>2024-10-25 02:41:28</td>
-       <td>This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password reset mechanism. The issue results from the lack of restriction of excessive authentication attempts. An attacker can leverage this vulnerability to reset a user's password and bypass authentication on the system.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-5716">详情</a></td>
-      </tr>
-
-      <tr>
-       <td>3b0ec2041c38f2b6c8ce4b38b3fcfcd2</td>
-       <td>CVE-2024-7240</td>
-       <td>2024-10-25 02:30:19</td>
-       <td>This vulnerability allows local attackers to escalate privileges on affected installations of F-Secure Total. User interaction on the part of an administrator is required to exploit this vulnerability. The specific flaw exists within the WithSecure plugin hosting service. By creating a symbolic link, an attacker can abuse the service to create a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-7240">详情</a></td>
-      </tr>
-
-      <tr>
-       <td>c742f88adbc2f1e7ee10af7ecbd18463</td>
-       <td>CVE-2024-7238</td>
-       <td>2024-10-25 02:29:46</td>
-       <td>This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Anti Malware Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-7238">详情</a></td>
-      </tr>
-
-      <tr>
-       <td>5f1301fe94f68f80ed703e0a44a766cf</td>
-       <td>CVE-2024-7234</td>
-       <td>2024-10-25 02:28:29</td>
-       <td>This vulnerability allows local attackers to escalate privileges on affected installations of AVG AntiVirus Free. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the AVG Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-7234">详情</a></td>
-      </tr>
-
-      <tr>
-       <td>b726af1b91cf91a01f73ba837637dee1</td>
-       <td>CVE-2024-7227</td>
-       <td>2024-10-25 02:27:49</td>
-       <td>This vulnerability allows local attackers to escalate privileges on affected installations of Avast Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Avast Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-7227">详情</a></td>
-      </tr>
-
-      <tr>
-       <td>a5b24b53b530937981c4cb643acc4032</td>
-       <td>CVE-2024-37396</td>
-       <td>2024-10-25 02:24:26</td>
-       <td>A stored cross-site scripting (XSS) vulnerability in the Calendar function of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML via injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-37396">详情</a></td>
-      </tr>
-
-      <tr>
-       <td>51702a7ed7a213966762449f8f65c69e</td>
-       <td>CVE-2024-37395</td>
-       <td>2024-10-25 02:24:05</td>
-       <td>A stored cross-site scripting (XSS) vulnerability in the Public Survey function of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML via injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.</td>
-       <td><a target="_blank" href="https://www.tenable.com/cve/CVE-2024-37395">详情</a></td>
-      </tr>
-
      </tbody>
     </table>
    </div>