CVEs

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version 0.31.8.0.

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables[] from the theme's own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database. This issue has been patched in version 0.31.8.0.

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (/oidc/revoke) returns {"revoked": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response, without validating it against the registered ACS URL (smc_acs_url) stored in the database for the corresponding service provider client. An attacker who knows the Entity ID of a registered SP client can craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response -- containing user identity attributes (login name, email, roles, profile fields) -- to an attacker-controlled URL. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requiring rol_administrator=true) and the contacts_show_all system setting. A user manager who is not a full administrator can directly request contacts_data.php?mem_show_filter=3 to retrieve all user records across all organizations in the Admidio instance, bypassing multi-tenant organization isolation. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and SameSite=Lax session cookies, a low-privileged attacker can trick a documents administrator into clicking a crafted link that registers an arbitrary server file (e.g., install/config.php containing database credentials) into a documents folder accessible to the attacker. This issue has been patched in version 5.0.9.

Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials. This issue has been patched in version 5.0.9.

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP. This issue has been patched in version 0.31.7.0.

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

There exists an openssl.cnf privilege escalation vulnerability in ZTE Cloud PC client uSmartview. An attacker can execute arbitrary code locally and escalate privileges.

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce). When the X-WP-Nonce validation fails, the function falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Since the public_nonce is exposed to all unauthenticated visitors and is site-wide (not user-specific or appointment-specific), attackers can obtain it and use it to view details of arbitrary appointments, including the public_edit_url, or delete arbitrary appointments by ID. This makes it possible for unauthenticated attackers to view, delete or modify any appointment in the system, disclosing sensitive appointment data, causing service disruption, and loss of booking records.

Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010.

Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status.

ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution.

## Summary The free5GC UDM component fails to validate the `supi` path parameter in six GET handlers of the `nudm-sdm` (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a `500 Internal Server Error` response that exposes internal infrastructure details. ## Affected Package - **Ecosystem**: Go - **Package**: `github.com/free5gc/udm` - **Affected versions**: `<= v1.4.2` - **Patched versions**: none yet ## Details The following handlers in `internal/sbi/api_subscriberdatamanagement.go` do not call `validator.IsValidSupi()` before passing the `supi` parameter to the processor: - `HandleGetSmfSelectData` — `GET /:supi/smf-select-data` - `HandleGetSupi` — `GET /:supi` - `HandleGetTraceData` — `GET /:supi/trace-data` - `HandleGetUeContextInSmfData` — `GET /:supi/ue-context-in-smf-data` - `HandleGetNssai` — `GET /:supi/nssai` - `HandleGetSmData` — `GET /:supi/sm-data` By contrast, `HandleGetAmData` in the same file correctly validates the `supi` parameter: ```go // HandleGetAmData — correctly validates (not vulnerable) supi := c.Params.ByName("supi") if !validator.IsValidSupi(supi) { c.JSON(http.StatusBadRequest, problemDetail) return } // HandleGetSmfSelectData — missing validation (vulnerable) supi := c.Params.ByName("supi") // ← no validator.IsValidSupi(supi) call s.Processor().GetSmfSelectDataProcedure(c, supi, plmnID, supportedFeatures) ``` The malformed `supi` is passed to the processor which constructs a URL to forward the request to UDR. Go's `net/url` parser rejects the URL containing control characters and returns an error. UDM catches this error and responds with a `500 SYSTEM_FAILURE` that includes the full internal UDR URL in the `detail` field. **This is a missed fix of CVE-2026-27642**, which applied the same `validator.IsValidSupi()` check only to `internal/sbi/api_ueauthentication.go` (`HandleConfirmAuth` and `HandleGenerateAuthData`), leaving the SDM service handlers unpatched. ## Proof of Concept ```bash # Vulnerable — returns 500 with internal UDR URL exposed curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/smf-select-data" curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/nssai" curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/trace-data" curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/sm-data" # Expected (vulnerable) response: # HTTP 500 # { # "title": "System failure", # "status": 500, # "detail": "parse \"http://udr.internal:80/nudr-dr/v2/subscription-data/imsi-22277\x00INJECTED//provisioned-data/smf-selection-subscription-data\": net/url: invalid control character in URL", # "cause": "SYSTEM_FAILURE" # } # Protected endpoint (for comparison) — returns 400 curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/am-data" # HTTP 400 # {"title":"Malformed request syntax","status":400,"detail":"Supi is invalid","cause":"MANDATORY_IE_INCORRECT"} ``` ## Impact An unauthenticated remote attacker can send a crafted GET request to any of the six affected endpoints to obtain: 1. Internal UDR hostname and port 2. Full internal API path structure (`/nudr-dr/v2/subscription-data/...`) 3. UDR API version 4. Internal service naming convention This information can be used to facilitate further attacks against the UDR or other internal 5G core components. ## Recommended Fix Add `validator.IsValidSupi()` to all six affected handlers, following the pattern already used in `HandleGetAmData`: ```go supi := c.Params.ByName("supi") if !validator.IsValidSupi(supi) { problemDetail := models.ProblemDetails{ Title: "Malformed request syntax", Status: http.StatusBadRequest, Detail: "Supi is invalid", Cause: "MANDATORY_IE_INCORRECT", } c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status))) c.JSON(int(problemDetail.Status), problemDetail) return } ```

The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). For DAG-CBOR, a payload of approximately 2 MB, consisting of repeated `0x81` (array-of-1) bytes followed by a terminator, produces around 2 million recursion frames and reliably exhausts Go's default 1 GB goroutine stack. The existing allocation budget does not prevent this: each nested collection header costs only a handful of budget units, so the stack is exhausted before the budget is. DAG-JSON has equivalent exposure via `[[[...]]]`-style payloads; it has no budget system and is therefore unprotected against recursion depth as well. Schema-free decoding (using `basicnode.Prototype.Any`) allows arbitrary nesting depth. Schema-bound decoding bounds nesting only when the schema itself is non-recursive and contains no fields typed as `Any`; schemas with recursive type references or any `Any`-typed fields permit unconstrained nesting at those points. The fix adds a configurable `MaxDepth` option to both decoders, defaulting to 1024 nested levels. The decoder returns `ErrDecodeDepthExceeded` when a payload nests beyond the limit. Well-formed IPLD data rarely approaches this depth in practice; the default is generous for legitimate use while preventing stack exhaustion.

### Summary PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI ### Details In `NewServer()`, the `smPolicyGroup` route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as `Npcf_PolicyAuthorization` do attach `RouterAuthorizationCheck` before route registration. Because the middleware is missing, requests to the following endpoints can reach business logic even when no valid OAuth token is provided: - `POST /npcf-smpolicycontrol/v1/sm-policies` - `GET /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}` - `POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update` - `POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete` This is visible at runtime because unauthenticated requests return business-level responses such as `400` or `404` instead of being rejected with `401` before handler execution. Under valid lab preconditions (existing UE/session context and related policy data), unauthenticated `POST /sm-policies` can succeed with `201`, and unauthenticated `GET /sm-policies/{id}` can succeed with `200` and return policy context containing subscriber identifiers including `supi`. The root cause is missing router auth enforcement for `Npcf_SMPolicyControl`. Upstream also fixed this by adding `RouterAuthorizationCheck` to `smPolicyGroup` (and `uePolicyGroup`) in free5gc/pcf PR #63. ### PoC 1. Deploy free5GC with PCF reachable on the SBI network. 2. Use the PoC against the PCF service **without** an `Authorization` header: ```bash go run /home/ubuntu/free5gc/tools/npcf-smpolicy-noauth-poc/main.go \ --pcf-root /home/ubuntu/free5gc/NFs/pcf \ --pcf-url http://10.100.200.9:8000 \ --timeout 4s Observe that unauthenticated requests to Npcf_SMPolicyControl return business responses instead of 401. ### Impact This is an authentication/authorization bypass on a network-accessible SBI service. Any unauthenticated actor able to reach the PCF SBI interface can invoke Npcf_SMPolicyControl handlers directly.

### Summary The AMF in Free5GC v4.2.1 does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AMF does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. This can lead to mismatches between NAS and AS security contexts in the network and the UE. ### Details **Vulnerability Type:** CWE-358 (Improperly Implemented Security Check for Standard) **Affected File:** `internal/ngap/handler.go` — `handleHandoverRequiredMain()` and `internal/gmm/sm.go` — `SecurityMode()` **Root Cause:** 3GPP TS 33.501 §6.9.5.1 states: > "Concurrent runs of security procedures may, in certain situations, lead to mismatches between security contexts in the network and the UE. In order to avoid such mismatches, the following rules shall be adhered to: > 1. AMF shall not initiate any of the N2 procedures including a new key towards a UE if a NAS Security Mode Command procedure is ongoing with the UE. > 2. The AMF shall not initiate a NAS Security Mode Command towards a UE if one of the N2 procedures including a new key is ongoing with the UE." Free5GC AMF uses an `OnGoing` state tracking mechanism (`SetOnGoing()`, `GetOnGoing()`) with `OnGoingProcedureN2Handover` type. However, the cross-procedure checks required by §6.9.5.1 are not implemented: **Rule 2 violation:** `SecurityMode()` in `internal/gmm/sm.go` sends SMC on `EntryEvent` without checking if N2 handover is ongoing. **Rule 1 violation:** `handleHandoverRequiredMain()` in `internal/ngap/handler.go` calls `SetOnGoing(OnGoingProcedureN2Handover)` without checking if SMC is ongoing. **Why NH/NCC and SMC are related:** SMC activates a new KAMF, which changes the basis for NH key derivation. The N2 HandoverRequest includes NH/NCC derived from the old KAMF. If both procedures run concurrently, the target gNB and UE derive different KgNB keys, breaking AS security. ### PoC **Source code evidence:** Free5GC AMF `internal/gmm/sm.go` — `SecurityMode()`: ```go func SecurityMode(state *fsm.State, event fsm.EventType, args fsm.ArgsType) { switch event { case fsm.EntryEvent: // No check for OnGoing N2 procedure // Directly proceeds to SMC ``` Free5GC AMF `internal/ngap/handler.go` — `handleHandoverRequiredMain()`: ```go amfUe.SetOnGoing(sourceUe.Ran.AnType, &context.OnGoing{ Procedure: context.OnGoingProcedureN2Handover, }) // No check for ongoing SMC before setting N2 ``` **Packet Evidence (pcap available):** | Packet | Time | Message | Description | |--------|------|---------|-------------| | #1 | 0.000s | HandoverRequired | gNB_A requests handover | | #18 | 0.002s | **HandoverRequest** | **N2 started (NH/NCC included)** | | | | *(no response from gNB_B)* | **N2 ongoing** | | #28 | 2.062s | Registration request | UE re-registers (same SUPI) | | #63 | 2.069s | Authentication request | | | #64 | 2.070s | Authentication response | | | #71 | 2.072s | **Security mode command** | **SMC during N2 ongoing = Rule 2 violation** | [NGAPHandover-N2-SMC-Concurrent.zip](https://github.com/user-attachments/files/26735421/NGAPHandover-N2-SMC-Concurrent.zip) ### Impact **Integrity (MEDIUM):** Concurrent NAS and AS security procedures can cause security context mismatches between UE, AMF, and gNB. The SMC activates a new KAMF while the N2 HandoverRequest carries NH/NCC derived from the old KAMF, resulting in KgNB derivation mismatch. **Availability (LOW):** Security context mismatch may cause handover failure or security verification failures.

### Summary The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. ### Details **Affected File:** `amf/internal/ngap/handler.go` — `handlePathSwitchRequestMain` function **Root Cause:** When the AMF receives a PathSwitchRequest during an Xn-handover, it processes the UESecurityCapabilities IE by directly overwriting the stored values without comparing them to the previously stored capabilities: ```go if uESecurityCapabilities != nil { amfUe.UESecurityCapability.SetEA1_128_5G(uESecurityCapabilities.NRencryptionAlgorithms.Value.Bytes[0] & 0x80) amfUe.UESecurityCapability.SetEA2_128_5G(uESecurityCapabilities.NRencryptionAlgorithms.Value.Bytes[0] & 0x40) amfUe.UESecurityCapability.SetEA3_128_5G(uESecurityCapabilities.NRencryptionAlgorithms.Value.Bytes[0] & 0x20) amfUe.UESecurityCapability.SetIA1_128_5G(uESecurityCapabilities.NRintegrityProtectionAlgorithms.Value.Bytes[0] & 0x80) amfUe.UESecurityCapability.SetIA2_128_5G(uESecurityCapabilities.NRintegrityProtectionAlgorithms.Value.Bytes[0] & 0x40) amfUe.UESecurityCapability.SetIA3_128_5G(uESecurityCapabilities.NRintegrityProtectionAlgorithms.Value.Bytes[0] & 0x20) } ``` **3GPP TS 33.501 §6.7.3.1 requires three actions, none of which are implemented:** 1. **Verification (SHALL):** "The AMF shall verify that the UE's 5G security capabilities received from the target gNB/ng-eNB are the same as the UE's 5G security capabilities that the AMF has locally stored." → Not implemented. The AMF unconditionally overwrites stored values. 2. **Correction (SHALL):** "If there is a mismatch, the AMF shall send its locally stored 5G security capabilities of the UE to the target gNB/ng-eNB in the Path-Switch Acknowledge message." → Not implemented. The PathSwitchRequestAcknowledge contains the corrupted values. 3. **Logging (SHALL):** "The AMF shall support logging capabilities for this event and may take additional measures, such as raising an alarm." → Not implemented. No mismatch detection or logging exists. **Propagation:** The corrupted values are propagated in: - **PathSwitchRequestAcknowledge:** Contains corrupted UESecurityCapabilities (demonstrated in pcap) - **Subsequent HandoverRequest messages:** AMF sends corrupted capabilities to target gNBs Per TS 38.413 §8.4.2.4, if the supported algorithms in the UE Security Capabilities do not match any allowed algorithms configured in the target gNB, the target gNB is required to reject the procedure using a HANDOVER FAILURE message. ### PoC **Environment:** - Free5GC v4.2.1 AMF (Docker container) with full NF stack (NRF, AUSF, UDM, UDR, NSSF, PCF, SMF, UPF) - UERANSIM v3.2.7 gNB with custom inspection-tool extension - tshark for packet capture **Reproduction Steps:** 1. Start Free5GC full stack and register a UE through a gNB (NG Setup → Registration → PDU Session Setup). 2. Send a normal HandoverRequired from the gNB. Capture the resulting HandoverRequest from the AMF and confirm `nRintegrityProtectionAlgorithms = 0xe000` (NIA1, NIA2, NIA3 all supported). This is the baseline. 3. Send a PathSwitchRequest with `nRintegrityProtectionAlgorithms = 0x0000` (all integrity algorithms set to not supported). The AMF responds with PathSwitchRequestAcknowledge. 4. Observe that the PathSwitchRequestAcknowledge contains `nRintegrityProtectionAlgorithms = 0x0000` — the corrupted values are propagated back. **Observed Result (from pcap capture):** | Packet | Message | nRintegrityProtectionAlgorithms | |--------|---------|-------------------------------| | #20 | HandoverRequest (AMF→gNB) | `0xe000` (NIA1 ✓ NIA2 ✓ NIA3 ✓) — **baseline** | | #30 | PathSwitchRequest (gNB→AMF) | `0x0000` — **poison** | | #47 | PathSwitchRequestAcknowledge (AMF→gNB) | `0x0000` (NIA1 ✗ NIA2 ✗ NIA3 ✗) — **corrupted** | ### Impact **Availability (HIGH):** A malicious gNB can send a single PathSwitchRequest message to corrupt the AMF's stored UE security capabilities for any UE. All subsequent inter-gNB handovers for the affected UE are expected to fail (per TS 38.413 §8.4.2.4), resulting in denial-of-service that persists until the UE performs a new registration. **Integrity (LOW):** The AMF's internal UE security context is corrupted with attacker-controlled values. These corrupted values are propagated to other network elements via PathSwitchRequestAcknowledge and HandoverRequest messages. **Who is impacted:** Any deployment using Free5GC as the AMF where a gNB could be compromised or where untrusted gNBs exist (e.g., O-RAN multi-vendor deployments).

Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.

### Summary A single unauthenticated `GET` to any `/scim/v1/...` endpoint with a `?filter=` query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with `std::process::abort()` — the entire `kanidmd` process exits. The parse runs inside axum's `Query<ScimEntryGetQuery>` extractor, before any handler body and therefore before any ACL check. ### Details The SCIM filter grammar recurses on `(` and `not (` with no depth bound. **`proto/src/scim_v1/mod.rs:263-433`** — `peg::parser! { grammar scimfilter() ... }`: ```rust // line 281 "not" separator()+ "(" e:parse() ")" { ScimFilter::Not(Box::new(e)) } // line 293 "(" e:parse() ")" { e } ``` Both rules re-enter `parse()` without a depth counter. **`proto/src/scim_v1/mod.rs:442-447`** — `impl FromStr for ScimFilter` calls `scimfilter::parse(input)` directly on the raw string with no length or depth pre-check. **`proto/src/scim_v1/mod.rs:80-81`** — `ScimEntryGetQuery.filter` is `#[serde_as(as = "Option<DisplayFromStr>")]`, so deserialising the query struct invokes `ScimFilter::from_str` on attacker bytes. **Unauthenticated reachability** — nine handlers in `server/core/src/https/v1_scim.rs` (route table at lines 865-1029) take `Query<ScimEntryGetQuery>` as an argument: `/scim/v1/Entry`, `/scim/v1/Entry/{id}`, `/scim/v1/Person/{id}`, `/scim/v1/Application`, `/scim/v1/Application/{id}`, `/scim/v1/Class`, `/scim/v1/Attribute`, `/scim/v1/Message`, `/scim/v1/Message/{id}`. The SCIM router is merged unconditionally for every server role (`server/core/src/https/mod.rs:312`). Axum extracts handler arguments before the handler body runs. The preceding `VerifiedClientInformation` extractor (`server/core/src/https/extractors/mod.rs:16-91`) always returns `Ok` (line 89) regardless of credentials; authorization is deferred to the handler body, which is never reached. The existing semantic depth limit (`DEFAULT_LIMIT_FILTER_DEPTH_MAX = 12`, `server/lib/src/constants/mod.rs:212`) is enforced in `Filter::from_scim_ro` (`server/lib/src/filter.rs:786`) **after** the PEG parse has already produced an AST, so it cannot prevent the parser itself from blowing the stack. The production daemon (`server/daemon/src/main.rs:735-744`) uses `new_multi_thread()` with default 2 MiB worker stacks; hyper's `max_buf_size` (~400 KiB) is not lowered (`server/core/src/https/mod.rs:708-727`), so a 12 KB URI is accepted. An identical unbounded grammar exists in `libs/scim_proto/src/filter.rs:112-276` (not network-reachable, but should be fixed in the same patch). ### PoC ```sh curl -sk "https://idm.example.com/scim/v1/Application?filter=$(python3 -c 'print("("*3000+"a+pr"+")"*3000)')" # → curl: (52) Empty reply from server # → server journal: "fatal runtime error: stack overflow, aborting", SIGABRT ``` Release-build threshold measured at ~2 000 nesting levels / ~4 KB: ``` $ cargo test --release -p kanidm_proto --test scim_filter_depth -- --nocapture parens depth=1500 len=3004 -> survived parens depth=2000 len=4004 thread 'audit_scim_filter_nested_parens' has overflowed its stack fatal runtime error: stack overflow, aborting (signal: 6, SIGABRT: process abort signal) ``` End-to-end against an in-process server via `kanidmd_testkit` (no authentication performed): ``` Testkit server setup complete - http://localhost:18080/ audit_scim_dos: sending unauthenticated GET, url len = 12056 thread '...' has overflowed its stack fatal runtime error: stack overflow, aborting (signal: 6, SIGABRT: process abort signal) ``` ### Impact Process-wide availability loss; no confidentiality or integrity impact. - **Unauthenticated**, default install, no feature flag required. - **Process abort, not task panic.** Stack overflow triggers libstd's guard-page handler, which calls `std::process::abort()`. tokio's per-task `catch_unwind` isolation does not apply to aborts. All in-flight HTTP requests, OAuth2/OIDC sessions, LDAP binds, and the web UI are terminated. - **Repeatable.** One ~12 KB GET per crash; a `while true; do curl ...; done` loop holds the service down indefinitely across supervisor restarts. - The 6 011-byte variant (`depth=3000`) fits under the nginx default `large_client_header_buffers` limit of 8 KB, so a typical reverse proxy does not mitigate. **Affected**: v1.7.0 through `master` @ edf50b9da.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured back-end or collector results in an unsuccessful HTTP 4xx or 5xx response, the HttpJsonPostTransport class reads the entire response body into memory with no upper bound on the number of bytes consumed in order to include the error response in operator logs. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the configured back-end or collector endpoint. This issue is fixed in version 1.15.1, which limits the number of bytes read from the response body in an error condition to 4 MiB.

OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB.

Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.

Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.

Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes (//) as internal paths, failing to validate the redirect target before processing. The application treats these values as internal paths and processes them without confirming that the redirect target remains on the local site. An attacker can craft a URL on the trusted Masa CMS domain that redirects a victim to an external attacker-controlled site. This can be used for phishing and, in some authentication flows, may expose tokens or other sensitive data to the external site. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, reject or rewrite redirect parameters that begin with // and consider disabling forceDirectoryStructure if compatible with the deployment.

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.