Advisories

Public Vulnerabilities & CVEs found by YLabs. All releases are governed by our Vulnerability Disclosure Policy.

CVE-2024-29868: Apache StreamPipes – Use of Cryptographically Weak PRNG in Recovery Token Generation

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This issue affects Apache StreamPipes from version 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

CVE-2023-29998: Persistent XSS in G3WSuite 3.5

A Cross-site scripting (XSS) vulnerability in the content editor in Gis3W g3w-suite 3.5 allows remote authenticated users to inject arbitrary web script or HTML via the description parameter.

CVE-2023-29713: Reflected XSS in Vade Secure Gateway

Severity: High

A Reflected Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary JavaScript code on the victim's browser via the URL.

CVE-2023-29712: DOM-based XSS in Vade Secure Gateway

Severity: Medium

A DOM-Based Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary JavaScript code on the victim's browser via header parameter.

CVE-2023-29714: DOM-based XSS in Vade Secure Gateway

Severity: Medium

A DOM-Based Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary JavaScript code on the victim's browser via cookies parameter.

CVE-2022-48111: SIRI WI400 – XSS on Login Page

A cross-site scripting (XSS) vulnerability in the check_login function of S.I.R.I. s.r.l WI400 between v.8 and v.11 included allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the “f” parameter.

CVE-2022-22834: OverIT Geocall v. < 8.0 – XSLT Injection

Severity: Medium

OverIT projects based on the same Geocall-Framework at level v. < 8, an authenticated user who has the “Test Trasformazione xsl” functionality enabled can exploit an XSLT Injection vulnerability in order to achieve remote code execution (RCE). The vulnerability is triggered by sending a specific XSL tag inside the XML field.

CVE-2022-22835: OverIT Geocall v. < 8.0 – XXE

Severity: Low

OverIT projects based on the same Geocall-Framework at level v. < 8, an authenticated user who has the “Test Trasformazione xsl” functionality enabled can exploit an XXE vulnerability to read arbitrary files from the filesystem. The vulnerability is triggered by sending a specific XSL tag inside the XML field.

CVE-2021-44228: Wowza Streaming Engine v. <= 4.8.16+1 - RCE (Log4j)

Severity: High

Wowza Streaming Engine v.<= 4.8.16+1 (build 20211129092949) is vulnerable to the Log4j JNDI injection, affecting the 'j_username' username field, in the login page as well as other HTTP headers. Attackers exploiting this issue will be able to achieve remote code execution (RCE) in the context of the NT AUTHORITY\SYSTEM Windows user managing the service.

All vendors affected by the Log4j vulnerability must use the CVE-2021-44228 when referring to this vulnerability in their own products.
At present, MITRE does not offer an option for a vendor to associate its own unique CVE ID with this same underlying vulnerability.

CVE-2021-40827: Clementine Music Player v. <= v.1.3.1 - Read Access Violation on Block Data Move

Severity: Medium

Clementine Music Player v. <= 1.3.1, in libgstreamer-1.0-0.dll (F1CC318CA54B8BC35179A48DAEBB94DF741D9E3B) module, is affected by a Read Access Violation on Block Data Move (potential Stack Overflow), affecting the MP3 file parsing functionality at memcpy+0x265.

The vulnerability is triggered when the user opens a crafted MP3 file or loads a remote stream URL that is mishandled by Clementine.
Attackers could exploit this issue to cause a crash (DoS) of the clementine.exe process or achieve arbitrary code execution in the context of the current logged-in Windows user.

eip=76888f55 esp=0edcfb38 ebp=0edcfb40 iopl=0 nv dn ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010616
msvcrt!memcpy+0x265:
76888f55 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_msvcrt.dll!memcpy

Basic Block:
    777c8f55 rep movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'ecx','esi'
    777c8f57 cld
 
    777c8f58 jmp dword ptr msvcrt!memcpy+0x310 (777c9000)[edx*4]
Exception Hash (Major/Minor): 0xb323a61f.0x1e633652

 Hash Usage : Stack Trace:
Major+Minor : msvcrt!memcpy+0x265
Major+Minor : libgstreamer_1_0_0!gst_buffer_fill+0x190
Major+Minor : libgsttag_1_0_0!gst_tag_mux_get_type+0x20df
Major+Minor : libgsttag_1_0_0!gst_tag_list_from_id3v2_tag+0x9ab
Major+Minor : libglib_2_0_0!g_rec_mutex_unlock+0x14
Minor       : libgstreamer_1_0_0!gst_buffer_unmap+0x56
Minor       : libgstreamer_1_0_0!gst_memory_resize+0x22
Minor       : libgstid3demux+0x17fc
Minor       : libgstreamer_1_0_0!gst_buffer_set_size+0x2f
Minor       : libgsttag_1_0_0!gst_tag_demux_get_type+0x1011
Minor       : libgstreamer_1_0_0!gst_element_get_type+0x114
Minor       : libgsttag_1_0_0!gst_tag_demux_get_type+0x1c49
Minor       : libglib_2_0_0!g_mutex_unlock+0x12
Minor       : libgstreamer_1_0_0!gst_tag_setter_get_tag_merge_mode+0x186
Minor       : KERNEL32!timeGetTime+0x37
Minor       : libglib_2_0_0!g_thread_pool_new+0x2f6
Instruction Address: 0x0000000076888f55

Description: Read Access Violation on Block Data Move
Short Description: ReadAVonBlockMove
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at msvcrt!memcpy+0x0000000000000265 (Hash=0xb323a61f.0x1e633652)