All versions of package com.jsoniter:jsoniter are vulnerable to Deserialization of Untrusted Data via malicious JSON strings. This may lead to a Denial of Service, and in certain cases, code execution.

所有版本的包 com.jsoniter: jsoniter 都很容易通过恶意的 JSON 字符串反序列化不可信数据。这可能导致一个分布式拒绝服务攻击，在某些情况下，代码执行。

arch/mips/net/bpf_jit.c in the Linux kernel through 5.14.6 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.

通过5.14.6在 Linux 内核中转换非特权 cBPF 程序时，arch/mips/net/bpf _ jit.c 可能会生成不希望的机器代码，从而允许在内核上下文中执行任意代码。出现这种情况是因为条件分支可能超过 MIPS架构分支的128kb 限制。

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

2.2.3和2.1.7之前的所有版本的 Apache Santuario-XML Security for Java 都容易出现“ secureValidation”属性在从 KeyInfoReference 元素创建 KeyInfo 时没有正确传递的问题。这允许攻击者滥用 XPath 转换来提取任何本地信息。元素中的 xml 文件。

loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.

Linux 内核5.10到5.14.6中的 fs/io _ uri.c 中的 loop _ rw _ iter 允许本地用户通过使用 IORING _ op _ prof _ buffers 触发一个没有内核缓冲区的特权，正如使用/proc/< pid >/maps 进行开发所证明的那样。

A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.

Pardus 软件中心的“ extractArchive”功能中的路径遍历漏洞允许同一网络上的任何人在系统上执行中间人操作和写文件。

Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.

在4.4.11之前、5. x 在5.2.4之前、6. x 在6.2.12之前和7.1.1之前传送允许在某些情况下伪造 SSH 主机证书。

Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.

在4.4.11之前传送，在5.2.4之前传送5. x，在6.2.12之前传送6. x，在7.1.1之前传送7. x 允许在某些情况下改变构建工件。

Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.

在6.2.12和7.1.1之前的传送允许攻击者控制数据库连接字符串，在某些情况下，通过精心设计的数据库名称或用户名。

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

* * 拒绝 * * 不要使用此候选人编号。没有。原因: 这位候选人被其 CNA 撤回。进一步的调查表明，这不是一个安全问题。注释: 无。

An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1).

在 CMS Made Simple 2.2.8中发现了一个问题。可以使用 m1 _ filename 参数在 CGExtensions 模块(在文件 action.setdefaulttemplate.php 中)中实现未经身份验证的路径遍历; 通过 action.showmessage.php 文件，可以读取任意文件内容(通过使用将 m1 _ prefname 设置为 cg _ errormsg 和 m1 _ resettodefault = 1的路径遍历)。

A Denial of Service vulnerability has been identified in FlexNet Publisher's lmadmin.exe version 11.16.6. A certain message protocol can be exploited to cause lmadmin to crash.

在 FlexNet Publisher 的 lmadmin.exe 版本11.16.6中，已经发现了一个分布式拒绝服务攻击安全漏洞。可以利用某个消息协议导致 lmadmin 崩溃。

A stored cross-site scripting issue impacts certain areas of the Web UI for Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).

存储的跨网站脚本问题会影响代码 Insight v7. x 版本的 Web UI 的某些区域，直到2020 R1(7.11.0-64)。

An elevated privileges issue related to Spring MVC calls impacts Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).

与 Spring MVC 调用相关的升级特权问题影响了 Code Insight v7.x 的发布，直到2020 R1(7.11.0-64)。

Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c.

Libsixel 1.8.2在 tosixel.c 中的 dither _ func _ fs 函数中包含一个基于堆的缓冲区溢出。

Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c.

Libsixel 1.8.3包含 sixel _ encode _ highcolor 函数中的基于堆的缓冲区溢出(tosixel.c)。

This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object.

这会影响 package@cookiex/deep 的所有版本。

XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.

2021年9月10日7.0之前，McAfee 终端安全中的 XML 实体扩展注入漏洞允许本地用户通过仔细编辑 epdeploy.XML 文件，然后执行安装过程来启动高 CPU 和内存消耗，从而导致分布式拒绝服务攻击攻击。

Improper privileges management vulnerability in McAfee Endpoint Security (ENS) Windows prior to 10.7.0 September 2021 Update allows local users to access files which they would otherwise not have access to via manipulating junction links to redirect McAfee folder operations to an unintended location.

2021年9月10日7.0之前的 McAfee 终端安全系统中的不当权限管理漏洞允许本地用户通过操纵连接链接访问原本无法访问的文件，将 McAfee 的文件夹操作重定向到一个非预期的位置。

A buffer overflow vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.200 allows a local attacker to execute arbitrary code with elevated privileges through placing carefully constructed Ami Pro (.sam) files onto the local system and triggering a DLP Endpoint scan through accessing a file. This is caused by the destination buffer being of fixed size and incorrect checks being made on the source size.

McAfee Data Loss Prevention (DLP) Endpoint for Windows 在11.6.200之前有一个缓冲区溢出漏洞，允许本地攻击者通过放置精心构造的 Ami Pro (。Sam)文件到本地系统，并通过访问文件触发 DLP 端点扫描。这是由于目标缓冲区的大小是固定的，并且对源大小进行了不正确的检查。

A buffer overflow vulnerability in McAfee Data Loss Prevention (DLP) Discover prior to 11.6.100 allows an attacker in the same network as the DLP Discover to execute arbitrary code through placing carefully constructed Ami Pro (.sam) files onto a machine and having DLP Discover scan it, leading to remote code execution with elevated privileges. This is caused by the destination buffer being of fixed size and incorrect checks being made on the source size.

McAfee Data Loss Prevention (DLP) Discover 在11.6.100之前发现了一个缓冲区溢出漏洞，允许与 DLP Discover 处于同一网络的攻击者通过放置精心构造的 Ami Pro (来执行任意代码。Sam)文件到机器上，然后让 DLP 发现扫描它，从而使远程代码执行具有更高的权限。这是由于目标缓冲区的大小是固定的，并且对源大小进行了不正确的检查。

Improper input validation in the National Instruments NI-PAL driver in versions 20.0.0 and prior may allow a privileged user to potentially enable escalation of privilege via local access.

在 National Instruments NI-PAL 驱动程序的20.0.0版本和更早版本中，不正确的输入验证可能允许特权用户通过本地访问潜在地升级特权。

Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.

Delta Electronic DOPSoft 2(Version 2.00.07及以前版本)在解析特定项目文件时缺乏对用户提供的数据的适当验证。这可能导致在字体字符串处理期间试图复制到缓冲区时出现基于堆栈的缓冲区溢出。攻击者可以利用此漏洞在当前进程的上下文中执行代码。

Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in a heap-based buffer overflow. An attacker could leverage this vulnerability to execute code in the context of the current process.

Delta Electronic DOPSoft 2(Version 2.00.07及以前版本)在解析特定项目文件时缺乏对用户提供的数据的适当验证。这可能导致基于堆的缓冲区溢出。攻击者可以利用此漏洞在当前进程的上下文中执行代码。

Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process.

Delta Electronic DOPSoft 2(Version 2.00.07及以前版本)在解析特定项目文件时缺乏对用户提供的数据的适当验证。这可能导致多个出界写实例。攻击者可以利用此漏洞在当前进程的上下文中执行代码。

Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in.

对 Digi PortServer TS 16 Rack 设备的 HTTP 和 HTTPS web 服务器上的多个资源适当格式化的 POST 请求不需要身份验证或身份验证令牌。这个漏洞可能允许攻击者启用 SNMP 服务并操作社区字符串以实现对。

Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime's `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.

是 WebAssembly 和 WASI 的开源运行时。在0.19.0版和0.30.0版之前的 Wasmtime 中，在从主机向客户 Wasm 内容传递‘ externref’时出现了一个 use-after-free bug。要触发这个 bug，你必须同时显式地将多个‘ externref’从主机传递给一个 Wasm 实例，要么将多个‘ externref’作为参数从主机代码传递给一个 Wasm 函数，要么从主机定义的多值返回函数返回多个‘ externref’到 Wasm。如果没有匹配这些形状之一的主机代码，则不会受到影响。如果 Wasmtime 的‘ vmexternrefacationstable’在传入第一个‘ externref’之后被填满，那么传入第二个‘ externref’可能会触发垃圾收集。然而，第一个‘ externref’在我们将控制权传递给 Wasm 之前并不是根，因此如果没有其他任何东西保存对它的引用或保持它的活动，收集器可以回收它。然后，在垃圾收集之后将控制权传递给 Wasm 时，Wasm 可以使用第一个‘ externref’，此时它已经被释放了。我们有理由相信这个 bug 的有效影响相对较小，因为使用‘ externref’目前相当罕见。这个 bug 已经修复，用户应该升级到 Wasmtime 0.30.0。如果你还不能升级 Wasmtime，你可以通过传递‘ false’到‘ Wasmtime: : Config: : wasm/reference/types’来禁用 Wasmtime 的引用类型支持来避免这个 bug。

Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmtime. To trigger this bug, Wasmtime needs to be running Wasm that uses `externref`s, the host creates non-null `externrefs`, Wasmtime performs a garbage collection (GC), and there has to be a Wasm frame on the stack that is at a GC safepoint where there are no live references at this safepoint, and there is a safepoint with live references earlier in this frame's function. Under this scenario, Wasmtime would incorrectly use the GC stack map for the safepoint from earlier in the function instead of the empty safepoint. This would result in Wasmtime treating arbitrary stack slots as `externref`s that needed to be rooted for GC. At the *next* GC, it would be determined that nothing was referencing these bogus `externref`s (because nothing could ever reference them, because they are not really `externref`s) and then Wasmtime would deallocate them and run `<ExternRef as Drop>::drop` on them. This results in a free of memory that is not necessarily on the heap (and shouldn't be freed at this moment even if it was), as well as potential out-of-bounds reads and writes. Even though support for `externref`s (via the reference types proposal) is enabled by default, unless you are creating non-null `externref`s in your host code or explicitly triggering GCs, you cannot be affected by this bug. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. This bug has been patched and users should upgrade to Wasmtime version 0.30.0. If you cannot upgrade Wasmtime at this time, you can avoid this bug by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types`.

是 WebAssembly 和 WASI 的开源运行时。在0.26.0版本和0.30.0版本之前的 Wasmtime 中，受到了内存不健全漏洞的影响。在 Wasmtime 运行使用‘ externref’的 Wasm 时出现了无效的自由和超出界限的读写错误。为了触发这个 bug，Wasmtime 需要运行使用‘ externref’的 Wasm，主机创建非空的‘ externrefs’，Wasmtime 执行垃圾收集(GC) ，并且堆栈上必须有一个位于 GC 安全点的 Wasm 框架，在这个安全点没有活动引用，并且在这个框架的函数的前面有一个带活动引用的安全点。在这种情况下，Wasmtime 将不正确地使用函数前面的 GC 堆栈映射作为安全点，而不是空的安全点。这将导致 Wasmtime 将任意堆栈槽视为‘ externref’，需要根植于 GC。在 * next * GC 中，将确定没有任何东西引用这些虚假的‘ externref’(因为没有任何东西可以引用它们，因为它们不是真正的‘ externref’) ，然后 Wasmtime 将释放它们并对它们运行‘ < externref as drop > : drop’。这将导致内存不一定在堆上(即使在堆上也不应该在此时释放) ，以及潜在的超出界限的读写操作。即使默认情况下支持‘ externref’s (通过引用类型提案) ，除非您在主机代码中创建非空‘ externref’或显式触发 gc，否则不会受到这个 bug 的影响。我们有理由相信这个 bug 的有效影响相对较小，因为使用‘ externref’目前相当罕见。这个 bug 已经被修复，用户应该升级到 Wasmtime 版本0.30.0。如果你现在不能升级 Wasmtime，你可以通过传递‘ false’到‘ Wasmtime: : Config: : wasm _ reference _ types’来禁用引用类型 proposal 来避免这个 bug。

Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which functions are safe and which are `unsafe`, guaranteeing that if consumers never use `unsafe` then it should not be possible to have memory unsafety issues in their embeddings of Wasmtime. An issue was discovered in the safe API of `Linker::func_*` APIs. These APIs were previously not sound when one `Engine` was used to create the `Linker` and then a different `Engine` was used to create a `Store` and then the `Linker` was used to instantiate a module into that `Store`. Cross-`Engine` usage of functions is not supported in Wasmtime and this can result in type confusion of function pointers, resulting in being able to safely call a function with the wrong type. Triggering this bug requires using at least two `Engine` values in an embedding and then additionally using two different values with a `Linker` (one at the creation time of the `Linker` and another when instantiating a module with the `Linker`). It's expected that usage of more-than-one `Engine` in an embedding is relatively rare since an `Engine` is intended to be a globally shared resource, so the expectation is that the impact of this issue is relatively small. The fix implemented is to change this behavior to `panic!()` in Rust instead of silently allowing it. Using different `Engine` instances with a `Linker` is a programmer bug that `wasmtime` catches at runtime. This bug has been patched and users should upgrade to Wasmtime version 0.30.0. If you cannot upgrade Wasmtime and are using more than one `Engine` in your embedding it's recommended to instead use only one `Engine` for the entire program if possible. An `Engine` is designed to be a globally shared resource that is suitable to have only one for the lifetime of an entire process. If using multiple `Engine`s is required then code should be audited to ensure that `Linker` is only used with one `Engine`.

是 WebAssembly 和 WASI 的开源运行时。版本0.30.0之前的 Wasmtime 受到类型混淆漏洞的影响。作为一个锈蚀图书馆，“ Wasmtime”板条箱清楚地标记出哪些功能是安全的，哪些功能是“不安全的”，保证了如果消费者从不使用“不安全的”，那么在他们嵌入 Wasmtime 时就不可能出现记忆不安全的问题。在‘ Linker: : func _ *’API 的安全 API 中发现了一个问题。这些 api 以前是不健全的，当一个’引擎’被用来创建’连接’，然后一个不同的’引擎’被用来创建一个’存储’，然后’连接’被用来实例化一个模块到那个’存储’。在 Wasmtime，交叉引擎不支持函数的使用，这可能导致函数指针的类型混乱，从而导致能够安全地调用一个类型错误的函数。触发这个 bug 需要在一个嵌入中使用至少两个“ Engine”值，然后使用两个不同的“ Linker”值(一个在“ Linker”创建时使用，另一个在用“ Linker”实例化一个模块时使用)。预计在嵌入中使用多个“引擎”的情况相对较少，因为“引擎”意在成为全球共享的资源，所以预计这个问题的影响相对较小。实现的修复方法是将这种行为改为‘惊慌！在生锈而不是默默地允许它。使用不同的‘ Engine’实例和‘ Linker’是程序员在运行时捕获的‘ wasmtime’错误。这个 bug 已经被修复，用户应该升级到 Wasmtime 版本0.30.0。如果你不能升级 Wasmtime，并且在嵌入过程中使用了多个引擎，建议尽可能在整个程序中只使用一个引擎。“引擎”被设计成一个全球共享的资源，在整个进程的生命周期中只能有一个引擎。如果需要使用多个‘ Engine’，那么应该对代码进行审计，以确保‘ Linker’只与一个‘ Engine’一起使用。

ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts.

ZRender 是一个轻量级的图形库，为 Apache ECharts 提供2 d 绘图。在5.2.1之前的版本中，在‘ src/core/util.ts’模块中使用‘ merge’和‘ clone’helper 方法会导致原型污染。它影响了流行的数据可视化/程序库 Apache ECharts，后者直接使用和导出这两种方法。这个漏洞的 GitHub 安全性咨询页面包含了一个概念验证。这个问题是在 ZRender 5.2.1版本中修补的。一个可用的解决方案是: 检查对象键中是否有‘ _ proto _’。在这些受影响的方法中使用它作为参数之前省略它。如果 project 正在使用 ECharts，则可以使用‘ ECharts.util.merge’和‘ setopt’。

Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`.

震颤是非结构化数据的事件处理系统。在版本0.7.2和0.11.6之间存在漏洞。当在状态上使用‘ patch’或‘ merge’并将结果返回到‘ state’时，此漏洞是一个内存安全问题。在这种情况下，受影响的震颤版本和震颤脚本板条箱维护对可能已经被释放的内存的引用。这些内存区域可以通过检索“状态”来访问，例如通过 TCP 或 HTTP 发送。这要求 tremserver (或者其他任何使用 tremscript 的程序)执行一个使用上述语言结构的 tremscript。这个问题已经在0.11.6版本中通过删除优化并且总是克隆 Merge 或 Patch 的目标表达式来修补。如果不能升级，一个可能的解决方案是通过引入临时变量来避免优化，而不是立即重新分配到“状态”。

The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.

防弹安全 WordPress 插件很容易受到敏感信息泄露的影响，因为在公开访问的 ~/db _ backup _ log.txt 文件中有一个文件路径泄露，除了数据库备份文件的路径之外，这个文件还允许攻击者访问站点的完整路径。这会影响到5.1版本。

nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.

在1.17.21245.754之前运行软件的 nLight ECLYPSE (nECY)系统控制器包含一个缺省的密钥漏洞。在受影响的设备的初始配置上，nECY 不强制对键进行更改。系统控制器利用一个加密的通道来保护 SensorViewTM 配置和监控软件，以及 nECY 与 nny 之间的通信。受影响的装置有被利用的危险。对受影响设备具有 IP 访问权限的远程攻击者可以利用默认密钥将照明控制命令提交给 nECY。一次成功的攻击可能导致攻击者获得修改照明条件的能力或获得更新照明设备上的软件的能力。受影响的密钥在 nny nLight Explorer 界面中称为 SensorView 密码，在 SensorView 应用程序中称为 Gateway 密码。攻击者不能验证或修改 nECY 系统控制器的配置或软件。

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

在1.8.0之前，当使用 Apache Shiro 和 Spring Boot 时，一个特殊的 HTTP 请求可能会导致身份验证绕过。用户应该升级到 Apache Shiro 1.8.0。

The Device42 Remote Collector before 17.05.01 does not sanitize user input in its SNMP Connectivity utility. This allows an authenticated attacker (with access to the console application) to execute arbitrary OS commands and escalate privileges.

Device42 Remote Collector 在17.05.01之前不会对 SNMP 连接实用程序中的用户输入进行消毒。这允许经过身份验证的攻击者(访问控制台应用)执行任意操作系统命令并升级特权。

The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker (with permissions to add or edit jobs run by this utility) can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector.

Device42主设备在17.05.01之前不会在其 Nmap Discovery 实用程序中对用户输入进行消毒。攻击者(具有添加或编辑由此实用程序运行的作业的权限)可以注入额外的参数，将任意文件覆盖为 Remote Collector 上的根用户。

XSS Hunter Express before 2021-09-17 does not properly enforce authentication requirements for paths.

2021-09-17之前的 XSS Hunter Express 不能正确执行路径的认证要求。

In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.

在2.4.148之前的 MISP 中，app/Lib/Export/OpendataExport.php 错误处理 shell _ exec 调用中使用的参数数据。

RealVNC Viewer 6.21.406 allows remote VNC servers to cause a denial of service (application crash) via crafted RFB protocol data.

RealVNC Viewer 6.21.406允许远程 VNC 服务器通过精心制作的 RFB 协议数据导致应用分布式拒绝服务攻击崩溃。

setup.cgi on NETGEAR R6020 1.0.0.48 devices allows an admin to execute arbitrary shell commands via shell metacharacters in the ntp_server field.

NETGEAR r60201.0.0.48设备上的 setup.cgi 允许管理员通过 ntp server 字段中的 shell 元字符执行任意的 shell 命令。

seatd-launch in seatd 0.6.x before 0.6.2 allows privilege escalation because it uses execlp and may be installed setuid root.

0.6.2之前在 seatd 0.6. x 发布的 seatd-launch 允许权限提升使用 execlp，并且可能安装 setuid root。

In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection.

在18.0之前的 Ericsson ECM 中，有人观察到用户配置文件管理部分的安全提供者端点易受 CSV 注入的攻击。

In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS via a name, leading to session hijacking and full account takeover.

在18.0之前的爱立信 ECM 中，观察到用户配置文件管理部分的安全管理端点容易受到存储的 XSS 名称的攻击，导致会话劫持和完全的帐户接管。

static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.

静态/主要预载荷。0.22.0中的 js 允许远程命令执行。远程攻击者可能会向公开的易受攻击的 ipcRenderer IPC 接口发送一个精心编写的 IPC 消息，这个接口调用了危险的 openExternal Electron API。

There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12

在路由系统的 meshd 程序中有命令注入，导致命令在管理员的授权下在小米路由器 AX3600上执行，ROM 版本 = < 1.1.12

There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12

在 xqnetwork.lua 的 addMeshNode 接口中有命令注入，这使得小米路由器 AX3600的命令在管理员的授权下执行，版本号为 < 1.1.12

There is a buffer overflow in librsa.so called by getwifipwdurl interface, resulting in code execution on Xiaomi router AX3600 with ROM version =rom< 1.1.12.

在小米路由器 AX3600中存在缓冲区溢出，这是 getwifipwdurl 接口所调用的，导致代码在 ROM 版本 < 1.1.12的小米路由器 AX3600上执行。

Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809

小米社区中的一些 js 界面被暴露，导致敏感功能被恶意调用到小米社区应用受影响版本 < 3.0.210809上

fig2dev 3.2.7b contains a stack buffer overflow in the bezier_spline function in genepic.c.

图2dev 3.2.7 b 在 genepic.c 中的 bezier _ spline 函数中包含一个栈缓冲区溢出。

fig2dev 3.2.7b contains a segmentation fault in the read_objects function in read.c.

图2dev 3.2.7 b 在 read.c 中的 read _ objects 函数中包含一个内存区段错误。

fig2dev 3.2.7b contains a global buffer overflow in the conv_pattern_index function in gencgm.c.

图2dev 3.2.7 b 在 gencgm.c 的 conv _ pattern _ index 函数中包含一个全局缓冲区溢出。

fig2dev 3.2.7b contains a global buffer overflow in the setfigfont function in genepic.c.

图2dev 3.2.7 b 在 genepic.c 的 setfigfont 函数中包含一个全局缓冲区溢出。

fig2dev 3.2.7b contains a stack buffer overflow in the read_textobject function in read.c.

图2dev 3.2.7 b 在 read.c 中的 read _ textobject 函数中包含一个栈缓冲区溢出。

fig2dev 3.2.7b contains a global buffer overflow in the get_line function in read.c.

图2dev 3.2.7 b 在 read.c 的 get _ line 函数中包含一个全局缓冲区溢出。

fig2dev 3.2.7b contains a segmentation fault in the gencgm_start function in gencgm.c.

图2dev 3.2.7 b 包含 gencgm.c 中 gencgm _ start 函数的内存区段错误。

libde265 v1.0.4 contains a heap buffer overflow in the put_epel_hv_fallback function, which can be exploited via a crafted a file.

265 v1.0.4在 put epel hv fallback 函数中包含一个堆缓冲区溢出，可以通过一个精心设计的文件进行利用。

libde265 v1.0.4 contains a heap buffer overflow in the mc_luma function, which can be exploited via a crafted a file.

Libde265 v1.0.4在 mc _ luma 函数中包含一个堆缓冲区溢出，可以通过一个精心设计的文件来利用这个溢出。

libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_bit function, which can be exploited via a crafted a file.

265 v1.0.4包含 decode cabac 位函数中的全局缓冲区溢出，可以通过一个精心设计的文件进行利用。

libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma function, which can be exploited via a crafted a file.

Libde265 v1.0.4在 mc _ chroma 函数中包含一个堆缓冲区溢出，可以通过一个精心设计的文件来利用这个溢出。

libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a crafted a file.

265 v1.0.4在 ff hevc put unweighted pred 8 sse 函数中包含堆缓冲区溢出，可以通过一个精心设计的文件进行利用。

libde265 v1.0.4 contains a heap buffer overflow in the de265_image::available_zscan function, which can be exploited via a crafted a file.

265 v1.0.4在 de265 image: available zscan 函数中包含一个堆缓冲区溢出，可以通过一个精心设计的文件进行利用。

libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_pred_avg_16_fallback function, which can be exploited via a crafted a file.

265 v1.0.4在 put weighted pred avg 16 fallback 函数中包含一个堆缓冲区溢出，可以通过一个精心设计的文件来利用这个溢出。

libde265 v1.0.4 contains a stack buffer overflow in the put_qpel_fallback function, which can be exploited via a crafted a file.

265 v1.0.4在 put _ bpel _ fallback 函数中包含一个堆栈缓冲区溢出，可以通过一个精心设计的文件来利用这个溢出。

libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bipred_16_fallback function, which can be exploited via a crafted a file.

265 v1.0.4在 put weighted bipred 16 fallback 函数中包含一个堆缓冲区溢出，可以通过一个精心设计的文件来利用这个溢出。

libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_0_0_fallback_16 function, which can be exploited via a crafted a file.

265 v1.0.4包含了 put qpel 0 fallback 16函数中的堆缓冲区溢出，可以通过一个精心设计的文件来利用这个溢出。

libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl_epi64 function, which can be exploited via a crafted a file.

Libde265 v1.0.4在 mm _ loadl _ epi64函数中包含一个堆缓冲区溢出错误，可以通过一个精心设计的文件进行利用。

libde265 v1.0.4 contains a segmentation fault in the apply_sao_internal function, which can be exploited via a crafted a file.

265 v1.0.4在 apply sao internal function 中包含一个内存区段错误，可以通过一个精心设计的文件加以利用。

libde265 v1.0.4 contains a heap buffer overflow fault in the put_epel_16_fallback function, which can be exploited via a crafted a file.

Libde265 v1.0.4在 put epel 16 fallback 函数中包含一个堆缓冲区溢出错误，可以通过一个精心设计的文件来利用这个错误。

Null pointer dereference occurs due to improper validation when the preemption feature enablement is toggled in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables

在 Snapdragon Auto，Snapdragon Compute，Snapdragon Connectivity，Snapdragon Consumer IOT，Snapdragon Industrial IOT，Snapdragon Wearables，当抢占功能启用时，由于验证不当，会发生空指针取消引用

Use-after-free vulnerability in kernel graphics driver because of storing an invalid pointer in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

在内核图形驱动程序中使用后免费漏洞，因为存储一个无效指针在 Snapdragon Compute，金鱼草连接，金鱼草工业物联网，金鱼草移动，金鱼草可穿戴，金鱼草有线基础设施和网络

A use after free can occur due to improper validation of P2P device address in PD Request frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

免费后的使用可能由于 PD 请求框架中 P2P 设备地址验证不当而发生，包括 Snapdragon Auto，Snapdragon Compute，Snapdragon Connectivity，Snapdragon Consumer IOT，Snapdragon Industrial IOT，Snapdragon Voice & Music，Snapdragon Wearables，Snapdragon Wired Infrastructure and Networking

Improper control of program execution vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to execute an arbitrary command or code via unspecified vectors.

在 RevoWorks Browser 2.1.230及更早版本中，对程序执行漏洞的不当控制允许攻击者通过未指定的向量执行任意命令或代码。

Improper access control vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to bypass access restriction and to exchange unauthorized files between the local environment and the isolated environment or settings of the web browser via unspecified vectors.

在 RevoWorks Browser 2.1.230及更早版本中，不正确的访问控制漏洞允许攻击者绕过访问限制，并通过未指定的向量在本地环境和独立环境或 web 浏览器设置之间交换未经授权的文件。

Cross-site scripting vulnerability in List (order management) item change plug-in (for EC-CUBE 3.0 series) Ver.1.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.

在 List (订单管理)项目更改插件(用于 EC-CUBE 3.0系列) Ver. 1.1和更早版本中的跨网站脚本漏洞允许远程攻击者通过未指定的向量注入任意的脚本。

Cross-site scripting vulnerability in Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions allows a remote attacker to inject an arbitrary script via unspecified vectors.

所有版本都允许远程攻击者通过未指定的向量注入任意的脚本跨网站脚本。

OpenSIS Community Edition version <= 7.6 is affected by a reflected XSS vulnerability in EmailCheck.php via the "opt" parameter.

OpenSIS Community Edition 版本 < = 7.6通过“ opt”参数受到 EmailCheck.php 中反映的 XSS 漏洞的影响。

OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filename" parameter.

OpenSIS Community Edition 版本 < = 7.6通过“ filename”参数受到 DownloadWindow.php 中本地文件包含漏洞的影响。

IBM Db2 11.2 and 11.5 contains an information disclosure vulnerability, exposing remote storage credentials to privileged users under specific conditions. IBM X-Fporce ID: 201780.

IBM db211.2和11.5包含一个信息披露漏洞，在特定条件下向特权用户公开远程存储凭据。201780.

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. IBM X-Force ID: 202267.

在非常特定的条件下，IBM Db2 for Linux，UNIX 和 Windows (包括 Db2 Connect Server)11.1和11.5可以允许本地用户继续运行一个过程，这个过程可能会导致系统耗尽内存并引发分布式拒绝服务攻击。202267.

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. IBM X-Force ID: 204470.

IBM Db2 for Linux、 UNIX 和 Windows (包括 Db2 Connect Server)在与 LOAD 或 BACKUP 一起使用 ADMIN _ cmd 时可能会泄露敏感信息。204470.

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.

IBM WebSphere Application Server 7.0,8.0,8.5,9.0和 Liberty 17.0.0.3到21.0.0.9允许远程用户枚举用户名，因为有效和无效的登录尝试的响应不同。205202.

Possible Integer overflow to buffer overflow issue can occur due to improper validation of input parameters when extscan hostlist configuration command is received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

在 Snapdragon Auto，Snapdragon Compute，Snapdragon Connectivity，Snapdragon Consumer Electronics Connectivity，Snapdragon Consumer IOT，Snapdragon Industrial IOT，Snapdragon IOT，Snapdragon Mobile，Snapdragon Voice & Music，Snapdragon Wired Infrastructure and Networking 中接收到 extscan hostlist configuration 命令时，由于输入参数验证不当，可能会发生整数溢出到缓冲区溢出的问题

Possible integer and heap overflow due to lack of input command size validation while handling beacon template update command from HLOS in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

由于缺乏输入命令大小验证，可能会出现整数和堆溢出，而处理灯塔模板更新命令从 HLOS 在金鱼草汽车，金鱼草消费者物联网，金鱼草工业物联网，金鱼草物联网，金鱼草移动，金鱼草语音和音乐，Snapdragon Wearables

Multiple Wireless M-Bus devices by Enbra use Hard-coded Credentials in Security mode 5 without an option to change the encryption key. An adversary can learn all information that is available in Enbra EWM.

Enbra 提供的多个无线 M-Bus 设备在安全模式5中使用硬编码凭证，而不需要更改加密密钥。敌手可以学习 Enbra EWM 中提供的所有信息。

Enbra EWM 1.7.29 does not check for or detect replay attacks sent by wireless M-Bus Security mode 5 devices. Instead timestamps of the sensor are replaced by the time of the readout even if the data is a replay of earlier data.

Enbra EWM 1.7.29不检查或检测由无线 M-Bus Security mode 5设备发送的重放攻击。相反，即使数据是早期数据的重播，传感器的时间戳也会被读出的时间所替换。

In Enbra EWM in Version 1.7.29 together with several tested wireless M-Bus Sensors the events backflow and "no flow" are not reconized or misinterpreted. This may lead to wrong values and missing events.

在版本1.7.29的 Enbra EWM 中，连同几个经过测试的无线 M-Bus 传感器，事件回流和“无流”没有被重新配置或误解。这可能导致错误的价值观和遗漏事件。

In Kaden PICOFLUX Air in all known versions an information exposure through observable discrepancy exists. This may give sensitive information (water consumption without distinct values) to third parties.

在 Kaden PICOFLUX Air 所有已知的版本中，都存在通过可观察到的差异而暴露的信息。这可能会将敏感信息(没有明确价值的用水量)提供给第三方。

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

错误的请求可能会导致服务器取消引用 NULL 指针，这个问题会影响 Apache HTTP Server 2.4.48和更早的版本。

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

一个精心设计的请求 uri-path 可能会导致 mod _ proxy _ uwsgi 读取超过分配的内存和崩溃(DoS)。这个问题影响 Apache HTTP Server 版本2.4.30至2.4.48(包括在内)。

nth-check is vulnerable to Inefficient Regular Expression Complexity

Nth-check 容易受到低效的正则表达式复杂度的影响

taro is vulnerable to Inefficient Regular Expression Complexity

正则表达式复杂度低是 taro 的弱项

object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

对象路径容易受到不当控制的修改对象原型属性(“原型污染”)

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Ansi-regex 容易受到低效的正则表达式复杂性的影响

code-server is vulnerable to Inefficient Regular Expression Complexity

代码服务器容易受到低效的正则表达式复杂度的影响

adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

在网页生成过程中，adminlte 很容易受到不当中和输入的影响(“跨网站脚本”)

adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

在网页生成过程中，adminlte 很容易受到不当中和输入的影响(“跨网站脚本”)

SharpCompress is a fully managed C# library to deal with many compression types and formats. Versions prior to 0.29.0 are vulnerable to partial path traversal. SharpCompress recreates a hierarchy of directories under destinationDirectory if ExtractFullPath is set to true in options. In order to prevent extraction outside the destination directory the destinationFileName path is verified to begin with fullDestinationDirectoryPath. However, prior to version 0.29.0, it is not enforced that fullDestinationDirectoryPath ends with slash. If the destinationDirectory is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints the arbitrary file creation impact is limited and depends on the use case. This issue is fixed in SharpCompress version 0.29.0.

SharpCompress 是一个完全托管的 c # 库，用于处理许多压缩类型和格式。0.29.0之前的版本易受部分路径遍历的影响。如果 ExtractFullPath 在选项中设置为 true，则 SharpCompress 在 destinationDirectory 下重新创建目录的层次结构。为了防止在目标目录之外提取，将验证 destinationFileName 路径以 fullDestinationDirectoryPath 开始。但是，在0.29.0版本之前，不强制 fulldestationdirectorypath 以斜杠结尾。如果 destinationDirectory 没有像‘/home/user/dir’那样以斜杠结尾，那么可以创建一个名称作为目标目录的文件，即‘/home/user/dir.sh’。由于文件名和目标目录的约束，任意文件创建的影响是有限的，并取决于用例。这个问题在 SharpCompress version 0.29.0中得到了修复。

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While a smuggled request is still captured as part of another request's body, it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless one uses mitmproxy to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 7.0.3 and above.

Mitmproxy 是一个交互式的、支持 SSL/tls 的拦截代理。在 mitmproxy 7.0.2及以下版本中，恶意客户端或服务器能够通过 mitmproxy 执行 HTTP 请求走私攻击。这意味着恶意客户机/服务器可以通过 mitmproxy 将请求/响应作为另一个请求/响应的 HTTP 消息体的一部分偷偷地传送出去。当一个被偷偷带入的请求仍然作为另一个请求的主体的一部分被捕获时，它不会出现在请求列表中，也不会通过通常的 mitmproxy 事件钩子，在那里用户可能已经实现了自定义的访问控制检查或输入清除。除非使用 mitmproxy 来保护 HTTP/1服务，否则不需要任何操作。该漏洞已在 mitmproxy 7.0.3及以上版本中修复。

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

Apache Jena 中 XML 处理中的一个漏洞(版本高达4.1.0)可能允许攻击者执行 XML 外部实体(XXE) ，包括将本地文件的内容暴露给远程服务器。

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

当给出恶意输入时，ap _ escape _ quotes ()可能写在缓冲区的末尾以外。没有包含的模块向这些函数传递不受信任的数据，但是第三方/外部模块可以。这个问题影响到 Apache HTTP Server 2.4.48和更早的版本。

The access controls on the Mobility read-only API improperly validate user access permissions. Attackers with both network access to the API and valid credentials can read data from it; regardless of access control group membership settings. This vulnerability is fixed in Mobility v11.76 and Mobility v12.14.

移动只读 API 上的访问控制不正确地验证了用户访问权限。具有对 API 的网络访问权限和有效凭据的攻击者可以从 API 中读取数据; 与访问控制组成员设置无关。这个漏洞在 Mobility v11.76和 Mobility v12.14中被修复。