case study of inventory management system

MBA Knowledge Base

Business • Management • Technology

Home » Management Case Studies » Case Study: Inventory Management Practices at Walmart

Case Study: Inventory Management Practices at Walmart

About walmart.

Wal-Mart Stores, Inc. is the largest retailer in the world, the world’s second-largest company and the nation’s largest nongovernmental employer. Wal-Mart Stores, Inc. operates retail stores in various retailing formats in all 50 states in the United States. The Company’s mass merchandising operations serve its customers primarily through the operation of three segments. The Wal-Mart Stores segment includes its discount stores, Supercenters, and Neighborhood Markets in the United States. The Sam’s club segment includes the warehouse membership clubs in the United States. The Company’s subsidiary, McLane Company, Inc. provides products and distribution services to retail industry and institutional foodservice customers. Wal-Mart serves customers and members more than 200 million times per week at more than 8,416 retail units under 53 different banners in 15 countries. With fiscal year 2010 sales of $405 billion, Wal-Mart employs more than 2.1 million associates worldwide. Nearly 75% of its stores are in the United States (“Wal-Mart International Operations”, 2004), but Wal-Mart is expanding internationally. The Group is engaged in the operations of retail stores located in all 50 states of the United States, Argentina, Brazil, Canada, Japan, Puerto Rico and the United Kingdom, Central America, Chile, Mexico,India and China.

Walmart Inventory Management

Wal-Mart had developed an ability to cater to the individual needs of its stores. Stores could choose from a number of delivery plans. For instance, there was an accelerated delivery system by which stores located within a certain distance of a geographical center could receive replenishment within a day. Wal-Mart invested heavily in IT and communications systems to effectively track sales and merchandise inventories in stores across the country. With the rapid expansion of Wal-Mart stores in the US, it was essential to have a good communication system. Hence, Wal-Mart set up its own satellite communication system in 1983. Explaining the benefits of the system Walton said, “I can walk in the satellite room, where our technicians sit in front of the computer screens talking on the phone to any stores that might be having a problem with the system, and just looking over their shoulders for a minute or two will tell me a lot about how a particular day is going. On the screen, I can see the total of the day’s bank credit sales adding up as they occur. If we have something really important or urgent to communicate to the stores and distribution centers, I, or any other Wal-Mart executive can walk back to our TV studio and get on that satellite transmission and get it right out there. I can also go every Saturday morning around three, look over these printouts and know precisely what kind of work we have had.”

Wal-Mart was able to reduce unproductive inventory by allowing stores to manage their own stocks, reducing pack sizes across many product categories, and timely price markdowns. Instead of cutting inventory across the board, Wal-Mart made full use of its IT capabilities to make more inventories available in the case of items that customers wanted most, while reducing the overall inventory levels. Wal-Mart also networked its suppliers through computers. The company entered into collaboration with P&G for maintaining the inventory in its stores and built an automated reordering system, which linked all computers between P&G and its stores and other distribution centers. The computer system at Wal-Mart stores identified an item which was low in stock and sent a signal to P&G. The system then sent a re-supply order to the nearest P&G factory through a satellite communication system. P&G then delivered the item either to the Wal-Mart distribution center or directly to the concerned stores. This collaboration between Wal-Mart and P&G was a win-win proposition for both because Wal-Mart could monitor its stock levels in the stores constantly and also identify the items that were moving fast. P&G could also lower its costs and pass on some of the savings to Wal-Mart due to better coordination.

Employees at the stores had the ‘Magic Wand,’ a hand-held computer which was linked to in-store terminals through a radio frequency network. These helped them to keep track of the inventory in stores, deliveries and backup merchandise in stock at the distribution centers. The order management and store replenishment of goods were entirely executed with the help of computers through the Point-of-Sales (POS) system. Through this system, it was possible to monitor and track the sales and merchandise stock levels on the store shelves. Wal-Mart also made use of the sophisticated algorithm system which enabled it to forecast the exact quantities of each item to be delivered, based on the inventories in each store. Since the data was accurate, even bulk items could be broken and supplied to the stores. Wal-Mart also used a centralized inventory data system using which the personnel at the stores could find out the level of inventories and the location of each product at any given time. It also showed whether a product was being loaded in the distribution center or was in transit on a truck. Once the goods were unloaded at the store, the store was furnished with full stocks of inventories of a particular item and the inventory data system was immediately updated.

Wal-Mart also made use of bar coding and radio frequency technology to manage its inventories. Using bar codes and fixed optical readers, the goods could be directed to the appropriate dock, from where they were loaded on to the trucks for shipment. Bar coding devices enabled efficient picking, receiving and proper inventory control of the appropriate goods. It also enabled easy order packing and physical counting of the inventories. In 1991, Wal-Mart had invested approximately $4 billion to build a retail link system. More than 10,000 Wal-Mart retail suppliers used the retail link system to monitor the sales of their goods at stores and replenish inventories. The details of daily transactions, which approximately amounted to more than 10 million per day, were processed through this integrated system and were furnished to every Wal-Mart store by 4 a.m., the next day. In October 2001, Wal-Mart tied-up with Atlas Commerce for upgrading the system through the Internet enabled technologies. Wal-Mart owned the largest and most sophisticated computer system in the private sector. The company used Massively Parallel Processor (MPP) computer system to track the movement of goods and stock levels. All information related to sales and inventories was passed on through an advanced satellite communication system. To provide back-up in case of a major breakdown or service interruption, the company had an extensive contingency plan. By making effective use of computers in all its company’s operations, Wal-Mart was successful in providing uninterrupted service to its customers, suppliers, stockholders and trading partners.

Case Study: Supply Chain Management of Walmart
Case Study: How Walmart Enhances Supply Chain Management with ERP Initiatives?
Case Study: Why Walmart Failed in Germany?
Inventory Management Practices in Multinational Corporations
Case Study of Walmart: Procurement and Distribution
Case Study: Analysis of Performance Management at British Petroleum
Case Study: Quality Management System at Coca Cola Company
Case Study of Burger King: Achieving Competitive Advantage through Quality Management
Inventory Management Concepts in Supply Chain Management
Inventory Management

One thought on “ Case Study: Inventory Management Practices at Walmart ”

Employee Training Management Software: A Case Study

Nonprofit donor management software: a case study.

Environmental Sustainability Management Software: A Case Study

Inventory Management Software: A Case Study

Post author: Maryliya M J
Post published: January 16, 2024
Reading time: 13 mins read

Inventory management plays a crucial role in the success of businesses across industries. Efficiently managing inventory ensures that the right products are available at the right time, minimizing stockouts and carrying costs. To streamline this process and enhance operational efficiency, businesses are increasingly turning to inventory management software solutions.

Introduction to Inventory Management Software

What is inventory management software.

Inventory management software is a powerful tool that helps businesses track, control, and optimize their inventory. It provides real-time visibility into stock levels, automates essential tasks like reordering and restocking, and enables businesses to make data-driven decisions to prevent stockouts or overstocking.

Importance of Inventory Management in Business Operations

Effective inventory management is crucial for businesses of all sizes. It ensures that the right products are available at the right time, minimizes storage costs, prevents stock obsolescence, and enhances customer satisfaction. By streamlining inventory processes and improving accuracy, businesses can reduce the risk of errors, increase operational efficiency, and ultimately boost profitability.

The Need for Efficient Inventory Management

Common inventory management challenges.

Managing inventory can be a complex and challenging task. Some common challenges businesses face include inaccurate demand forecasting, manual tracking leading to errors, inefficient order fulfillment, poor visibility of stock levels, and difficulties in identifying slow-moving or obsolete items.

Impact of Inefficient Inventory Management

Inefficient inventory management can have far-reaching consequences for a business. It can result in stockouts, leading to lost sales and dissatisfied customers. Conversely, overstocking ties up capital, increases storage costs, and risks product obsolescence. In addition, inefficient inventory management can lead to inaccuracies in financial reporting, hinder supply chain efficiency, and hamper overall business growth.

case study of inventory management system

About the Client

Our client, a retail chain, faced challenges in tracking inventory levels across multiple stores. With a growing inventory and diverse product lines, they sought to enhance their stock control, automate reorder processes, and optimize inventory turnover. Recognizing the need for a robust solution, they engaged in the development of a tailored Inventory Management Software ( IMS ).

Project Overview

The project aimed to develop a comprehensive .NET-based IMS to address the client’s challenges. The primary objectives included automating stock control, integrating with point-of-sale (POS) systems, providing real-time stock visibility, and incorporating predictive analytics for effective inventory planning and ordering.

The Challenges

Manual Inventory Tracking: The existing manual processes for inventory tracking led to inaccuracies and inefficiencies.
Lack of Real-time Visibility: Limited visibility into stock levels across multiple stores resulted in delays and stockouts.
Inefficient Reorder Processes: Manual reorder processes were time-consuming and prone to errors.

The Solution

Our team of skilled developers and project managers collaborated to design and implement a comprehensive .NET-based Inventory Management Software. The solution included modules for automated stock control, integration with POS systems, real-time stock visibility, and predictive analytics for optimized inventory planning and ordering.

Key Features of the IMS

Automated Stock Control: The IMS automated stock control processes, ensuring accurate and real-time tracking of inventory levels.
POS Integration: Seamless integration with point-of-sale systems provided synchronized data, enhancing overall efficiency.
Real-time Stock Visibility: The software offered real-time visibility into stock levels across multiple stores, reducing delays and stockouts.
Predictive Analytics: Advanced analytics tools provided insights into inventory trends, facilitating proactive planning and ordering.

The Outcome

The Inventory Management Software was successfully deployed, resulting in significant improvements in stock control and inventory management. Automated processes, POS integration, and predictive analytics contributed to a more streamlined and optimized inventory turnover.

Conclusion: The Future of IMS

Our team’s expertise in developing a tailored Inventory Management Software using .NET technologies effectively addressed the client’s challenges. The implementation of automated stock control, POS integration, and predictive analytics tools contributed to a more efficient and responsive inventory management system.

In conclusion, inventory management software has proven to be a valuable tool for businesses seeking to optimize their inventory management processes. Through the case study analysis and exploration of key features and benefits, it is evident that implementing such software can lead to improved efficiency, cost reduction, and better decision-making. While challenges may arise during implementation, adopting best practices and staying proactive can ensure a successful integration. As technology continues to advance, the future of inventory management software holds great promise, with advancements such as AI and predictive analytics poised to revolutionize how businesses manage their inventory. By embracing these innovations and staying ahead of the curve, businesses can unlock new levels of productivity and success in their operations.

Are you struggling with inventory tracking and management challenges? Contact us today to explore how our expertise in IMS development can transform your inventory processes and drive efficiency.

What is inventory management software?

Inventory management software is a technology solution designed to track, organize, and manage a company’s inventory levels, orders, and stock movements. It provides businesses with real-time visibility into their inventory, helping them streamline operations, reduce costs, and improve customer satisfaction.

What are the benefits of using inventory management software?

Inventory management software offers several benefits, including improved inventory accuracy, reduced stockouts and overstocking, enhanced order fulfillment, increased operational efficiency, better forecasting, optimized purchasing decisions, and improved customer service. It also helps automate manual tasks, centralize data, and provide actionable insights for informed decision-making.

What challenges can occur during the implementation of inventory management software?

Implementing inventory management software can come with challenges such as data migration and integration, staff training and adaptation, resistance to change, customization requirements, and potential disruptions to ongoing business operations. However, with proper planning, communication, and support, these challenges can be overcome, leading to a successful implementation.

How does inventory management software contribute to the future of inventory management?

Inventory management software is constantly evolving to meet the changing needs of businesses. The future of inventory management software lies in advancements such as artificial intelligence (AI), machine learning , internet of things ( IoT ), and predictive analytics. These technologies will enable businesses to automate processes, optimize inventory levels, improve demand forecasting accuracy, and gain valuable insights for strategic decision-making, ultimately driving efficiency and profitability.

Legal Case Management Software: A Case Study

Book a free consultation.

Tailored Solutions, Expert Advice, and Project Estimates Await.

Expect a Prompt Call from one of our Account Managers.

Elite IT Professionals
Time Zone Aligned
Experienced Team

At Zenkins, we bring together a curated network of elite IT professionals ready to elevate your projects to new heights. From seasoned developers to innovative designers, our handpicked talent pool is here to turn your visions into reality. Experience unparalleled expertise, reliability, and dedication to excellence with our team of Elite IT Professionals.

At Zenkins, we understand the importance of global collaboration. That’s why our team is strategically aligned across time zones, ensuring seamless communication and productivity no matter where you are. From brainstorming sessions to project updates, our time zone-aligned approach guarantees that deadlines are met and progress never stalls. Experience the convenience of working with a team that’s always in sync.

At Zenkins, we pride ourselves on our experienced team of professionals who bring years of industry knowledge and skill to every project. From seasoned developers to seasoned project managers, our team has the expertise to tackle even the most complex challenges. With a proven track record of success, we deliver results that exceed expectations.

+91 70690 18504

[email protected]

Zenkins is a leading software development company based in India, specializing in SAAS Product Development, Digital Transformation, and Product Engineering. With a dedicated team of professionals and a commitment to excellence, we deliver innovative solutions that drive business growth and success. Partner with Zenkins for all your software development needs and experience the difference firsthand.

Methodologies
Technologies
Our Services
IT Staffing Services
Software Outsourcing
.NET Development
Careers @Zenkins
Current Openings
Technology Insights

Privacy Overview

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Get 50% off your first project with us!

Join our community of satisfied customers and experience the power of our software team today. Contact now and get 50% off your first software project/ product. Don’t miss out on this exclusive offer!

Quality of Inventory Management System: Case Study of BARMM-Ministry of Public Works-Basilan District Engineering Office

14 Pages Posted: 22 Aug 2023

Lesley Ann Atilano-Tang

Scintilla Juris-Philippines

Kurt Damsani

Ministry of public works - basilan district engineering office.

Date Written: April 20, 2023

This capstone examines the quality of the inventory management system of the BARMM-Ministry of Public Works-Basilan District Engineering Office in Basilan Province, Philippines. The capstone utilizes a case study research design and employs a mixed-methods approach to gather data from both primary and secondary sources. The theoretical framework of this study is based on the principles of Public Administration, particularly the concept of organizational effectiveness. The results of the study show that the current inventory management system of the engineering office has several weaknesses, including inadequate documentation, lack of standardization, and poor tracking of inventory levels. These issues can lead to inefficiencies in the management of the office's resources and can have a negative impact on the delivery of public services. The study recommends several strategies to improve the quality of the inventory management system, such as implementing a centralized inventory system, developing standard operating procedures for inventory management, and investing in training and development programs for staff. The findings of this study have significant implications for the BARMM-Ministry of Public Works-Basilan District Engineering Office and other public organizations in the Philippines. By implementing the recommended strategies, these organizations can enhance their organizational effectiveness and improve their ability to provide efficient and effective public services to their constituents. The study contributes to the existing literature on inventory management systems and organizational effectiveness in the context of Public Administration.

Keywords: inventory management system, quality, case study, BARMM, Ministry of Public Works, Basilan District Engineering Office, public administration, efficiency, effectiveness, procurement, supply chain management

Suggested Citation: Suggested Citation

Lesley Ann Atilano-Tang (Contact Author)

Scintilla juris-philippines ( email ).

CPADS, Normal Road, Baliwasan, Zamboanga City, 7000 Philippines Zamboanga City, Zamboanga del Sur 7000 Philippines +639207256273 (Phone)

Do you have a job opening that you would like to promote on SSRN?

Paper statistics, related ejournals, operations research ejournal.

Subscribe to this fee journal for more curated articles on this topic

Operations Management eJournal

Project & program management ejournal, operations strategy ejournal, technology, operations management & production ejournal, logistics ejournal, inventory management ejournal, types of organizations & organizational behavior ejournal, innovation & organizational behavior ejournal, public sector strategy & organizational behavior ejournal.

How to Improve Inventory Management – 15 Proven Ways with Case Studies

Demand forecasting.

Predicting product demand enables businesses to have the right amount of inventory on hand. Demand forecasting is a key strategy for inventory management as it predicts consumer demand for products or services, allowing businesses to manage inventory more effectively and efficiently.

Demand forecasting uses historical sales data, market research, and statistical methods to predict future demand. The fundamental theories behind demand forecasting include time series analysis, causal models, and machine learning models.

Time Series Analysis

This involves examining historical data and identifying patterns like seasonality, trends, and cycles. These patterns are then used to project future demand.

Causal Models

These models analyze the relationship between demand and various external factors, such as economic indicators, marketing efforts, and price changes.

Machine Learning Models

Machine learning models use algorithms to analyze large datasets and identify complex patterns. These patterns are then used to predict future demand.

One case study showcasing the importance of demand forecasting is IBM’s use of demand forecasting models powered by AI. The multinational technology company has been able to achieve a reduction in forecasting errors by up to 28% through their AI-enabled models.

IBM applied machine learning to time-series forecasting, which allowed them to generate short-term and long-term sales forecasts at scale across various product categories. They used different AI models such as Auto-Regressive Integrated Moving Average (ARIMA), Long Short-Term Memory (LSTM), and Decision Trees to make their predictions.

Furthermore, IBM utilized a combination of structured (e.g., sales numbers, stock levels) and unstructured data (e.g., text reviews, social media sentiment) in their forecasting models. By combining different types of data and using machine learning to process it, IBM could create more accurate and sophisticated demand forecasts.

The accuracy of demand forecasting can have a significant impact on business performance. According to a report by the Global Journal of Management and Business Research, a 1% improvement in forecast accuracy can result in a 2% decrease in inventory costs. Thus, demand forecasting can lead to substantial cost savings and increased profitability for businesses.

Despite these benefits, demand forecasting also has some challenges. It requires quality data, sophisticated analytical capabilities, and the ability to adjust forecasts based on changing market conditions. Therefore, businesses need to invest in technology, data management, and analytics capabilities to leverage demand forecasting effectively.

Safety Stock

Having a safety stock can mitigate the risk of stockouts. Safety stock is a fundamental inventory management strategy where companies keep extra inventory on hand to protect against variability in market demand or supply disruptions. It acts as an insurance against stockouts, which can lead to lost sales, disappointed customers, and potential harm to a company’s reputation

The theoretical underpinning for safety stock calculations often revolves around lead time, demand variability, and service level expectations. The classic safety stock formula is:

Safety Stock = (Max Lead Time – Average Lead Time) * Average Demand

Here, the Max Lead Time and Average Lead Time represent the longest and average time taken to replenish stock, and the Average Demand is the average units sold during that lead time.

Many companies modify this formula to consider the standard deviation of lead time and demand, as well as the desired service level (probability of not having a stockout).

Implementing safety stock requires a delicate balance. While having a high level of safety stock can prevent stockouts, it also increases inventory holding costs. The inventory holding cost is critical facet of any inventory management technique on the other hand, keeping a low level of safety stock reduces holding costs but increases the risk of stockouts.

A case study highlighting the effective use of safety stock is Amazon . The e-commerce giant uses advanced algorithms and machine learning techniques to determine optimal safety stock levels for millions of products. Amazon’s sophisticated inventory management system takes into account various factors, such as historical sales data, product life cycle, seasonal trends, and supplier reliability. This approach has reportedly helped Amazon maintain a high in-stock rate of 97.8% in 2020, reducing the risk of lost sales and improving customer satisfaction.

Moreover, a study by the International Journal of Production Economics found that a well-managed safety stock can lead to a 10-20% reduction in total inventory costs. This is achieved by maintaining a balance between holding costs and the cost of stockouts.

Despite its benefits, managing safety stock comes with challenges. It requires accurate data, sophisticated algorithms, and the ability to respond swiftly to changing market conditions. Businesses also need to periodically review and adjust their safety stock levels as demand patterns, lead times, and business goals change.

Batch Tracking

Batch tracking can mitigate the risks of product recalls. Batch tracking, also known as lot tracking, is a quality control inventory management technique that allows businesses to track goods along the distribution chain. It is especially important in industries where products need to be closely monitored for reasons of safety, compliance, or quality control, such as food, pharmaceuticals, and electronics.

In essence, batch tracking records the journey of a batch or lot of products or materials from their origin, through the manufacturing process, to the end consumer. This allows companies to manage recalls effectively, ensure regulatory compliance, and improve product quality.

The concept of batch tracking relies on the following principles:

Traceability

Every batch or lot of products should have a unique identifier that allows it to be tracked throughout the supply chain.

Transparency

Information about each batch, such as its origin, processing history, and distribution, should be recorded and readily available.

Accountability

Companies should take responsibility for the quality and safety of their products and have procedures in place for managing recalls or quality issues.

Case Studies

A case study demonstrating the importance of batch tracking is in the pharmaceutical industry, particularly in the case of the pharmaceutical company XYZ (hypothetical for the sake of the explanation). The company implemented batch tracking to improve its inventory management and product quality control. Inventory management is this highly critical of any product which is sensible to time.

The company assigned unique identifiers to each batch of drugs manufactured, enabling it to trace the journey of each batch from the raw materials used, through the manufacturing process, to the distribution to pharmacies. This allowed XYZ to quickly identify and isolate any batches that were associated with quality issues, reducing the scope and cost of recalls.

Furthermore, the implementation of batch tracking led to a decrease in carrying costs by about 27%, as the company was able to manage its inventory more effectively and reduce waste.

Additionally, a study by the Aberdeen Group found that companies using batch tracking had a 26% higher successful product completion rate compared to those not using batch tracking. This demonstrates how batch tracking can contribute to operational efficiency and product quality.

However, batch tracking can be challenging to implement. It requires sophisticated tracking systems, accurate data, and strong cooperation from all stakeholders in the supply chain. Therefore, businesses need to invest in the right technologies and processes to implement batch tracking effectively.

Vendor-Managed Inventory (VMI)

In a VMI arrangement, suppliers manage inventory levels. Vendor -Managed Inventory (VMI) is a supply chain practice where the supplier or vendor is responsible for maintaining the customer’s inventory levels. Under this model, the supplier has access to the customer’s inventory data and is responsible for generating purchase orders.

This practice aims to improve inventory turnover and reduce stockouts or overstock situations. Aligning the manufacturer’s production with the retailer’s sales cycle enhances the efficiency of the supply chain. The Collaborative Process of Inventory Management is becoming very popular in lean and agile systems now a days.

The VMI model is based on several principles:

Information Sharing

In a VMI relationship, the customer shares real-time data on stock levels, sales, and forecasts with the supplier. This transparency allows the supplier to better plan production and deliveries.

Inventory Ownership

The supplier retains ownership of the inventory until it’s sold, effectively transferring the risks associated with inventory management from the customer to the supplier.

Performance Metrics

The supplier’s performance is usually evaluated based on the level of customer service they provide, such as their ability to avoid stockouts and maintain optimal inventory levels.

A successful case study of VMI implementation comes from Barilla, an Italian pasta manufacturer. Before implementing VMI, Barilla suffered from significant demand variability, leading to stockouts and excess inventory. By adopting a VMI strategy, Barilla transferred the responsibility of inventory management to its suppliers.

With access to real-time sales data, suppliers were able to better forecast demand, optimize production schedules, and improve delivery performance. This resulted in a 30% reduction in stockout instances and a significant improvement in Barilla’s customer service levels.

The benefits of VMI are supported by numerous studies. According to research by the Journal of Operations Management, VMI can lead to an average inventory reduction of 31% and an increase in service levels by up to 6%.

However, implementing a VMI strategy requires a high degree of collaboration and trust between the customer and the supplier. Both parties need to invest in compatible IT systems, adopt standardized processes, and agree on performance metrics. The benefits of VMI also depend on the nature of the products, the stability of demand, and the capabilities of the supplier.

ABC Analysis

This involves categorizing inventory based on its importance and value. ABC analysis is a method of categorizing inventory into three categories based on their importance and value to the business. The system gets its name from the classes it involves: ‘A’ items are very important, ‘B’ items are important, and ‘C’ items are marginally important.

‘A’ Items: These are the high-priority items, often representing a small percentage of total items but a large portion of the inventory cost. They require close inventory control and rigorous demand forecasting.

‘B’ Items: These are the intermediate items, making up a larger percentage of total items but representing a lower portion of inventory cost than ‘A’ items. They require a moderate level of inventory control.

‘C’ Items: These are the low-priority items, which constitute the majority of the total items but contribute the least to the inventory cost. They require less stringent control and can be ordered in larger quantities less frequently.

The basic principle of ABC analysis is the Pareto principle, or the 80/20 rule, which suggests that 80% of the effects come from 20% of the causes. In the context of inventory management, it often happens that 80% of a company’s inventory value is made up of only 20% of its items. The categorization is a basic for any inventory management process

Example and Case Study

An example of the application of ABC analysis is in a pharmaceutical company, XYZ (hypothetical for the sake of the explanation). The company categorized its inventory based on the annual consumption value of each product (calculated as the annual demand multiplied by the cost per unit).

‘A’ items were the top 20% of items that accounted for about 70% of the company’s total inventory value. ‘B’ items were the next 30% of items, contributing around 25% of the total inventory value. The remaining 50% of items, classified as ‘C’ items, contributed only 5% to the inventory value.

By focusing its inventory management efforts on ‘A’ items, XYZ was able to manage its inventory more effectively, leading to a decrease in carrying costs by about 27%.

Several studies have validated the benefits of ABC analysis. For instance, a study published in the Journal of Operations Management found that companies using ABC analysis achieved a 14% reduction in inventory costs compared to those not using it.

However, implementing ABC analysis requires a good understanding of the company’s products and market dynamics. It also requires the collection and analysis of accurate demand and cost data. Therefore, companies need to invest in data management and analytical capabilities to apply ABC analysis effectively.

Inventory Turnover Ratio

This measures how often inventory is sold and replaced within a specific period.

The inventory turnover ratio is a key performance indicator that measures the efficiency of inventory management. It represents how many times a company has sold and replaced its inventory during a specific period, usually a year. The ratio provides insights into a company’s operational efficiency, liquidity, and overall financial health.

The formula to calculate the inventory turnover ratio is:

Inventory Turnover Ratio = Cost of Goods Sold (COGS) / Average Inventory

Cost of Goods Sold (COGS) is the total cost of all goods sold during a specific time period.

Average Inventory is the mean value of inventory during the same time period, usually calculated as the average of the inventory levels at the start and end of the period.

A higher inventory turnover ratio indicates that a company sells its inventory quickly, implying efficient inventory management and high demand for its products. Conversely, a lower ratio could suggest overstocking, slow sales, or obsolete inventory.

Consider a hypothetical example: a retail company, XYZ, which had a COGS of $2 million and an average inventory of $500,000 for the year. By applying the formula, XYZ’s inventory turnover ratio would be 4. This means that XYZ sold and replaced its inventory four times during the year.

The optimal inventory turnover ratio can vary significantly across different industries. For instance, in fast-moving industries like fashion or perishable goods, a high turnover ratio is desirable. In contrast, industries with slower-moving goods, like furniture or appliances, may have a lower turnover ratio. Having a solid understanding of a turnover ratio is key to inventory management

According to a study published in the Journal of Business Logistics, companies with higher inventory turnover ratios tend to have higher profit margins. The research found that a 10% increase in the inventory turnover ratio could lead to a 1% increase in the profit margin.

However, interpreting the inventory turnover ratio requires caution. While a high turnover ratio can suggest efficiency, it might also indicate inadequate inventory levels, leading to stockouts and lost sales. On the other hand, a low turnover ratio could signal overstocking or weak sales, but it might also reflect a strategic decision to maintain higher inventory levels to guard against supply chain disruptions.

Just-in-Time (JIT) Inventory

This method reduces inventory carrying costs. Just-in-Time (JIT) inventory management is a strategy aimed at reducing in-process inventory and its associated carrying costs. The approach is based on producing goods to meet demand precisely when needed in the production process, not before, thereby minimizing inventory levels.

The underlying principles of JIT are:

Pull System

Production is driven by customer demand rather than forecasts. Each stage of the production process only produces what the next stage needs, and the process starts when the final customer places an order.

Zero Inventory

The aim is to eliminate inventory, both raw materials and finished goods, as much as possible. Inventory is seen as a sign of inefficiency, indicating overproduction and waste.

Continuous Improvement (Kaizen)

JIT is closely associated with the principle of Kaizen, which focuses on continuous improvement in all aspects of the business, including reducing waste, improving efficiency, and enhancing quality.

Toyota is famously known for implementing JIT in its production system, known as the Toyota Production System. Before JIT, Toyota, like many other companies, produced more than necessary and stored surplus goods in warehouses, leading to high inventory costs and waste.

Implementing JIT allowed Toyota to dramatically reduce its raw material, work-in-process, and finished goods inventories. By synchronizing the production rate with consumer demand, Toyota reduced its inventory levels by more than 50%, leading to significant cost savings. It also led to an improvement in quality, as it was easier to detect defects in a system with minimal inventory.

Several studies have demonstrated the benefits of JIT. For instance, a study published in the Journal of Operations Management found that implementing JIT can lead to an improvement in return on assets (ROA) by up to 70%.

However, successful implementation of JIT requires a stable and reliable supply chain, efficient production processes, and accurate demand forecasting. Any disruption in the supply chain, such as supplier failure or transportation delays, can halt production and lead to stockouts. Thus, while JIT can bring significant cost savings and efficiency improvements, it also comes with its own set of risks.

Real-time Tracking

This involves monitoring inventory in real-time. Real-time tracking in inventory management refers to the continuous and instantaneous tracking of inventory items, from the moment they enter the warehouse until they are sold and dispatched. It involves the use of advanced technologies, such as RFID tags, barcodes, IoT devices, and cloud-based software, to monitor and update inventory levels in real-time. With advanced data analytics, real-time inventory management is becoming more economical.

The primary principles of real-time tracking are:

Instantaneous Updates

Every movement of inventory, from receiving and storing to picking and shipping, is immediately recorded and reflected in the inventory levels.

Real-time tracking provides a clear and accurate view of the current inventory levels, location of items, and status of orders at any given time.

By eliminating manual entry and the delay in updating inventory records, real-time tracking significantly improves the accuracy of inventory data.

A case in point is Amazon, which uses real-time tracking extensively in its fulfillment centers. Amazon utilizes RFID tags, automated guided vehicles (AGVs), and sophisticated inventory management systems to track each item in its vast warehouses in real time. This allows Amazon to maintain accurate inventory records, streamline order fulfillment, and provide real-time updates to customers.

Implementing real-time tracking resulted in a significant reduction in order fulfillment time, an increase in warehouse efficiency, and improved customer satisfaction due to the visibility into order status. In terms of numbers, Amazon was reportedly able to reduce its “click to ship” time, that is, the time from when a customer places an order to when it’s shipped, from 60-75 minutes to under 15 minutes.

Several studies have shown the benefits of real-time tracking. According to a report by Zebra Technologies, businesses that implemented real-time tracking reported an average improvement of 32% in inventory accuracy and a 27% acceleration in order cycle times.

However, implementing real-time tracking requires a significant investment in technology and the development of standardized processes. It also involves a shift in mindset from periodic to continuous inventory management. Therefore, businesses need to carefully assess their needs, capabilities, and resources before implementing real-time tracking.

Dropshipping

This involves selling products without stocking them. Dropshipping is a retail fulfillment model in which the retailer does not keep goods in stock. Instead, when a retailer sells a product using the dropshipping model, it purchases the item from a third party—usually a wholesaler or manufacturer—and has it shipped directly to the customer. This eliminates the need for the retailer to handle the product directly, reducing inventory and warehousing requirements. Inventory management with dropshipping needs heavy optimization though.

The fundamental principles of dropshipping are:

In a dropshipping model, the retailer does not own inventory. Instead, inventory is held by the suppliers until it’s sold.

Order Fulfillment

When a customer places an order, the retailer transfers the customer’s order details and shipping information to the supplier, who then fulfills the order directly to the customer.

Product Assortment

As retailers do not need to pre-purchase the items they sell, they can offer a wider variety of products to customers.

One successful case study of dropshipping is Wayfair, a popular online furniture retailer. The company holds virtually no inventory and relies extensively on dropshipping. When a customer places an order on Wayfair’s platform, the order is sent to the manufacturer, who ships the item directly to the customer. This model allows Wayfair to offer a vast selection of products without the need to manage complex inventory or large warehouses.

According to data from a report by Market Research Future, the global dropshipping market size was projected to reach approximately $557.9 billion by 2025, growing at a compound annual growth rate (CAGR) of 28.8% from 2018.

However, the dropshipping model also has its challenges. It can lead to lower profit margins, as suppliers also take their share of profits. Also, because retailers don’t control the entire supply chain, they can face difficulties with product quality control, order fulfillment, and customer service.

Cross-docking

This involves transferring incoming shipments directly to outgoing trucks, reducing warehouse storage needs.

Cross-docking is a logistics strategy in which products from a supplier or manufacturing plant are distributed directly to customers with minimal to no handling or storage time. The term “cross-docking” comes from the process of receiving products through an inbound dock and then transferring them across the dock to the outbound transportation dock. Cross docking is becoming more popular for large organizations with decentralized inventory management

The core principles of cross-docking include:

In cross-docking, speed is key. The objective is to unload materials from an incoming semi-trailer truck or rail car and then directly load these materials onto outbound trucks or trailers with little to no storage in between.

Synchronization

The success of cross-docking depends on the synchronization of inbound and outbound transport. The goal is to ensure that the incoming goods arrive just in time to be loaded onto the outbound transport.

Cross-docking requires a central site where the routing of products is handled. At this site, products are received from multiple sources and then sorted onto outbound trucks going to different destinations.

An effective example of cross-docking is Walmart’s distribution model. Walmart’s suppliers send full truckloads of products to a Walmart distribution center, where they’re then distributed to individual stores in less-than-truckload (LTL) quantities. Walmart uses cross-docking efficiently to get products from suppliers to their stores without holding inventory at the distribution centers. It helps them to reduce inventory holding costs, minimize storage requirements, and get products into stores faster, which is crucial in retail industries.

According to a study published in the International Journal of Retail & Distribution Management, the implementation of cross-docking can lead to a reduction in order cycle time by 33%, and inventory reduction by up to 50%.

However, to successfully implement cross-docking, companies require significant planning, investment in a central routing facility, and sophisticated logistics software to coordinate and synchronize transport schedules. It’s also crucial to have reliable suppliers that can adhere to strict delivery schedules. If these conditions aren’t met, cross-docking can lead to increased transportation costs, delivery delays, and customer dissatisfaction.

Inventory Management Software

Companies like Oracle, SAP, and Microsoft offer advanced inventory management software that can automate various processes, resulting in reduced errors and increased efficiency.

Inventory management software is a tool that helps businesses track and manage their inventory levels, sales, orders, and deliveries. It can also be used to create purchase orders, back orders, and invoices. The software’s primary purpose is to avoid product overstock and outages, ensuring that the right amount of stock is maintained at all times. Using these software are essential for building a strong inventory management system

The key features of inventory management software include:

Inventory Tracking

This feature allows businesses to track their inventory levels in real time. The software can provide updates when stock is low or when it’s time to reorder.

Barcode Scanning

Many inventory management systems come with barcode scanning capabilities. This allows businesses to quickly input and track products, reducing manual errors.

Reporting and Analytics

These features provide businesses with insights into their inventory levels, sales trends, and order history. This can help businesses make more informed decisions about stock management, pricing, and sales strategies.

Integration Capabilities: Inventory management software can often be integrated with other business systems, such as accounting software, e-commerce platforms, and CRM systems, to streamline operations.

One example of a company leveraging inventory management software is Zara, the Spanish clothing retailer. Zara uses sophisticated inventory management software to track each item in real-time, from when it’s manufactured to when it’s sold. This allows Zara to keep track of its fast-moving inventory, respond quickly to changes in demand, and minimize stockouts and overstock.

According to a report by Mordor Intelligence, the global inventory management software market was valued at USD 2.42 billion in 2020 and is expected to reach USD 5.6 billion by 2026, growing at a CAGR of 15% during the forecast period (2021-2026).

However, implementing inventory management software requires a significant investment in technology and may require staff training. It also requires the collection and analysis of accurate data. Therefore, businesses need to carefully evaluate their needs and resources before deciding to invest in inventory management software.

Consignment Inventory

Here, payment to suppliers is made only when their goods are sold.

Consignment inventory is a business model in which a consignee (retailer) agrees to receive and store products from a consignor (supplier or manufacturer), but the consignor retains ownership of the products until they are sold. Once the product is sold, the consignee pays the consignor for the inventory. It is very similar yet different from dropshipping model of inventory management.

The core principles of consignment inventory include:

In a consignment inventory agreement, the consignor retains the ownership of the goods until they are sold. This implies that the consignor bears the financial risk of the inventory until the point of sale.

The consignee pays for the inventory only after it is sold to the end consumer. The unsold inventory can be returned to the consignor, reducing the financial risk for the consignee.

Inventory Management

Typically, the consignor is responsible for managing the inventory, which includes replenishing stock when levels are low and removing outdated or unsold merchandise.

A great example of the consignment model is the relationship between book authors (consignors) and bookstores (consignees). Many bookstores will display books, particularly from unknown or independent authors, on a consignment basis. This allows the bookstore to offer a wide range of titles without the risk of investing in inventory that may not sell.

According to data from Stitch Labs, using a consignment model can increase revenue by consignment model can increase revenue by as much as 20%, as retailers can offer a wider variety of products without the risk of unsold inventory.

However, there are potential downsides to the consignment model. For consignors, delayed revenue recognition and the risk of not selling the inventory can be significant. For consignees, consignment inventory can take up valuable retail space without providing immediate revenue. Also, managing consignment inventory can be complex, requiring careful tracking and accounting to ensure accurate payment upon sale.

Cycle Counting

This involves regularly counting a subset of inventory.

Cycle counting is an inventory auditing technique where a small subset of inventory, in a specific location, is counted on a specified day. It is a method used by businesses to count their inventory continuously and cyclically throughout the year, rather than counting all inventory at once during a full physical inventory count. Cycle counts contrast with traditional physical inventory counts, where operations are halted once or twice a year to count all inventory items. To bring discipline into inventory management this process is necessary.

The essential principles of cycle counting are:

Consistent Counting

In a cycle counting system, a small, specific subset of inventory is counted at regular intervals, ensuring ongoing accuracy.

Inventory items are not all counted at the same frequency. High-value items, fast-moving items, or items critical to business operations are often counted more frequently.

Division of Labor

By breaking down the task of inventory counting into smaller parts, the job can be completed without disrupting normal operations.

A successful implementation of cycle counting can be found at Apple Inc. Apple uses cycle counting to maintain an accurate inventory record. This technique helps them to identify and correct potential problems early, reducing discrepancies between actual and recorded inventory.

A study by the Association for Supply Chain Management (APICS) found that companies using cycle counting systems could achieve inventory accuracy levels of 97% or higher. This contrasts with a traditional annual physical inventory system, which often results in lower overall accuracy due to a lack of frequent validation.

While cycle counting can significantly improve inventory accuracy, its implementation is not without challenges. It requires a consistent and ongoing effort and requires businesses to invest in proper training for staff to conduct the counts effectively and efficiently. If not appropriately managed, cycle counting can lead to discrepancies and errors.

Inventory Shrinkage Control

Implementing measures to control shrinkage can reduce inventory losses. Inventory management thus takes central stage.

Inventory shrinkage refers to the loss of products between the point of manufacture or purchase from suppliers and the point of sale. It is a significant issue that can impact a company’s bottom line. The main causes of inventory shrinkage include theft, damages, miscounting, and supplier fraud. Instilling discipline is required for any type of inventory management.

Here are the key principles to control inventory shrinkage:

Regular Audits

Regular inventory audits, including cycle counting, can help identify shrinkage early and mitigate its impact. It allows you to identify discrepancies between your physical inventory and your inventory records, indicating potential shrinkage.

Security Measures

Implementing security measures, such as surveillance cameras, electronic article surveillance (EAS) systems, and security personnel, can deter theft, one of the significant contributors to inventory shrinkage.

Employee Training

Well-trained employees are more likely to handle inventory properly, reducing losses due to damage or miscounting. Also, educating them about the consequences of theft, including job loss and legal action, can deter internal theft.

Vendor Management

Establishing strong relationships with vendors and carefully monitoring their activities can help prevent supplier fraud. This can include checking shipments for accuracy and quality.

One successful case study of shrinkage control is at Target Corporation. The company employs advanced analytics to identify patterns in theft and uses electronic surveillance systems throughout their stores. They also have a rigorous vendor vetting process to prevent vendor fraud. These measures have reportedly resulted in a substantial reduction in inventory shrinkage.

According to the National Retail Federation’s 2020 National Retail Security Survey, the average inventory shrink rate in the U.S. retail industry is around 1.62% of sales. This may seem like a small percentage, but given the volume of sales in the retail industry, it can amount to billions of dollars.

Centralized Inventory

Centralizing inventory can reduce costs and improve efficiency.

A centralized inventory management system is a method where a company maintains its entire inventory from one central location or few select locations. Rather than keeping stock in various places such as individual stores or warehouses scattered across different regions, all products are kept in one central warehouse from which they’re distributed to individual sale locations or directly to consumers. Organizations are looking forward to centralized inventory management after Covid disruptions.

The core principles of centralized inventory management include:

Central Location

In centralized inventory management, all inventory is managed from one central location. This could be a central warehouse, distribution center, or a fulfillment center.

Streamlined Supply Chain

Centralizing inventory allows for a more streamlined supply chain as all goods come in and go out of the same place. This can make it easier to manage and keep track of inventory.

Consolidated Management

With centralized inventory, inventory management is consolidated. This means that one team (or sometimes one person) can oversee the entire inventory, which can lead to more effective management and decision-making.

One notable example of successful centralized inventory management is Amazon. Amazon keeps its inventory in large, strategically located fulfillment centers from where they dispatch products directly to customers. This centralized system allows Amazon to manage and control its inventory effectively and deliver products rapidly.

According to a report from Accenture, centralizing inventory management can lead to a 10% – 20% reduction in inventory carrying costs. It also can help companies enhance customer service and increase sales by ensuring the right products are available at the right time.

However, there are potential drawbacks to centralized inventory management. One of the main risks is that if the central warehouse encounters a problem (like a natural disaster or a major system failure), it can disrupt the entire supply chain. Also, centralized inventory may not always provide the speed needed for rapid delivery to distant locations.

Samrat is a Delhi-based MBA from the Indian Institute of Management. He is a Strategy, AI, and Marketing Enthusiast and passionately writes about core and emerging topics in Management studies. Reach out to his LinkedIn for a discussion or follow his Quora Page

DOI: 10.1515/ITMS-2015-0014
Corpus ID: 56145071

Case Study on Inventory Management Improvement

Plinere Darya , Borisov Arkady
Published 1 December 2015
Business, Computer Science, Engineering
Information Technology and Management Science

Figures and Tables from this paper

25 Citations

Inventory management pattern of steel industry in india, smart inventory management system with forecasting technique applied to efficiently handle industrial asset, inventory management concepts and implementations: a systematic review, understanding the factors and perspectives influencing safety stock prediction: a systematic literature review on inventory management, inventory management system, developing action plan for inventory management , an optimization of inventory control in supply chain under time varying holding costs with exponential demand rate, design of a purchases and inventories management of a cleaning products distribute company, customized software development for stock maintenance and billing system, case study of inventory management for biology laboratory materials using erp system, 9 references, a framework for decision support system in inventory management area, abc classification for inventory optimization, supply chain management and transport logistics, supply chain management: concepts, techniques and practices: enhancing the value through collaboration, operations management, interaction of software agents in the problem of coordinating orders.

Highly Influential

Related Papers

Showing 1 through 3 of 0 Related Papers

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

View all journals
Explore content
About the journal
Publish with us
Sign up for alerts
Open access
Published: 03 September 2024

Analyzing economic effect on mRNA vaccine inventory management with redistribution policy

Hyungju Kim 1 ,
Hyungjoo Cha 1 &
Taesu Cheong 1

Scientific Reports volume 14 , Article number: 20425 ( 2024 ) Cite this article

Metrics details

Health policy
Health services

This study focused on the challenges posed by the fluctuating demand for COVID-19 vaccines, considering factors such as side effects, religious objections, and absenteeism, which result in the accumulation of excess vaccines. Recognizing the resulting social, economic, and environmental issues, this study investigated the application of a lateral transshipment policy for the management of the inventory of short-term vaccines, considering related unpredictabilities. A discrete event simulation built on foundational principles derived from a mixed-integer linear programming model was employed to explore the dynamics of mRNA-based vaccine distribution among two hospitals based on lateral transshipment and reordering policies. Through the simulation of various scenarios over periods of 1-30 days, transshipment based on the availability policy is employed to determine the quantity of vaccines to be transshipped, constrained to vial amounts, and the ( s , S ) inventory system for reordering. The results of this study underscore the efficacy of lateral transshipment, particularly in situations where demand discrepancies exist between hospitals, thereby revealing its superiority over non-transshipment strategies within 7 days.

Introduction

In late 2019, COVID-19 emerged as a novel virus, distinct from the six known species, that prompted global health and industrial challenges. Over 178 million COVID-19 cases and 3.84 million deaths associated with COVID-19 have been recorded worldwide 1 . Governments adopted strategies, such as social distancing and teleworking, to mitigate its spread, while the pharmaceutical industry worked on accelerating vaccine development. The development of vaccines against infectious diseases is among the most effective strategies for mitigating their effects. However, this achievement is not sudden; rather, it is the culmination of decades of scientific research and technological advancement 2 . The urgency of the pandemic has sparked remarkable global efforts. By November 2020, more than 210 potential vaccines were in the pipeline, with 11 advancing to Phase 3 clinical trials 3 . A key factor in this rapid progress was the adoption of cutting-edge technologies such as mRNA in the vaccine development process 4 . Among these rapid and competitive developments, the Pfizer-BioNTech vaccine is considered to be up to 95% effective against severe diseases or death 1 .

mRNA vaccines introduce the viral antigen gene in mRNA form into the body, which then produces antigen proteins and stimulates an immune response. However, these vaccines face a significant challenge. The main component, that is, mRNA, is susceptible to degradation by RNA-degrading enzymes (RNases) 5 . This vulnerability necessitates special storage and transportation conditions such as ultralow-temperature freezing to maintain stability, thus highlighting the need for meticulous management in terms of storage, transportation, and hygiene 6 , 7 . Therefore, the specific guidelines for handling vaccines, particularly after thawing, necessitate several key protocols 8 :

Vaccines should be administered on the same day they are thawed.

Once opened, the vaccines must be discarded after a specified period.

Any excess vaccine should not be gathered for use; instead, it should be disposed of appropriately.

Vaccines should not be transported to other hospitals once they have been opened.

The production of vaccines has surged dramatically because of the development of mRNA technology and its effectiveness against COVID-19, as reflected in the increase in demand 9 . By June 25, 2021, the worldwide battle against COVID-19 had achieved significant progress, with the production and global distribution of more than 2.88 billion vaccine doses. Through an international vaccination campaign, approximately 1.77 billion people in 213 countries were administered at least one vaccine dose 10 . Despite the clinical superiority of mRNA vaccines in combating COVID-19, public skepticism, fueled by misinformation, religious beliefs, or personal concerns 11 , resulted in erratic vaccination rates. Consequently, studies have focused on conducting extensive research on vaccine hesitancy owing to its profound effect on vaccination rates 12 , 13 , 14 .

Overproduction and underconsumption, which are primarily attributed to vaccine hesitancy, present significant challenges in supply chain management. Consequently, governments face either a surplus or shortage of vaccines 15 , which complicates inventory planning and distribution. In terms of supply chain and inventory management, residual vaccines are plagued by several problems, thus highlighting the need for efficient vaccine redistribution. These problems include:

Wastage and expiry Residual vaccines, or surplus vaccine doses, can be problematic in cases of more supply than demand. This can result in wastage if the vaccines expire before use. Vaccine shelf life and storage requirements (e.g., cold chain maintenance) play significant roles in this.

Equity issues Wealthier countries or regions may have surplus vaccines, whereas poorer regions struggle to obtain sufficient doses. This inequality poses ethical and public health challenges on a global scale.

Public health implications Unused vaccines indicate a missed opportunity to control the spread of the virus. High rates of vaccination are vital to achieving herd immunity and reducing the overall impact of the pandemic.

As previously mentioned, vaccine characteristics underscore their perishable nature which means that it has a limited lifetime 16 after thawed. The intricacies of the vaccination process require high precision. In practical scenarios, medical factors such as allergies and side effects 17 , coupled with social factors such as personal beliefs and instances of missed appointments 18 , contribute to the unpredictability of vaccination schedules, or, essentially, the demand for vaccines. This uncertainty complicates the realization of just-in-time vaccination strategies and thus leads to residual vaccination costs. For example, the Irish Health Service Executive reported that €95,000,000 was spent on unused COVID-19 vaccines last year 19 . Consequently, there is a critical need for effective inventory management to optimize and satisfy the fluctuating demand for vaccination.

This study aimed to enhance the efficiency of vaccine inventory management via lateral transshipment. This process, which typically involves the transfer of products between retailers within the same organization, is adaptable to healthcare services. Hospitals administering vaccines may operate independently and are, conventionally, competitors; however, their involvement in vaccination transcends competitive dynamics owing to the overarching goal of public health services. Vaccination scheduling in these hospitals is conducted on an hourly basis through an online platform, where individuals with appointments are expected to adhere to their designated times. We extended the above to analyze the economic effects of a redistribution policy when two hospitals have unequal vaccine stocks and designed mathematical models and simulations that reflected the characteristics of the vaccine and vaccination operations. However, several detailed assumptions are necessary to incorporate the characteristics of vaccines and vaccination into the model. Here are the details of the problem while modeling.

Each individual is entitled to one dose of the vaccine.

The demand for appointments at each clinic varies randomly, following a uniform distribution with an average of $\mu$ and a standard deviation of $\sigma$ .

Patients arriving within their scheduled time are vaccinated within an hour. The vaccination schedules are simply considered as first-come-first-served manner.

Hospitals operate on a fixed daily schedule.

Backorders are not accounted for; a shortage of vaccines at any given time incurs an underage cost.

The underage cost is also applicable if an appointment cannot be fulfilled owing to a vaccine shortage.

Vaccine suppliers maintain sufficient stock; thus, their inventory levels are not a concern during reorders.

Vaccine orders placed with a provider are delivered 2 h after ordering.

In the case of lateral transshipment to a nearby hospital, the vaccine is delivered within 1 h of transshipment.

Demand for booking vaccines is calculated in dose units, whereas inventory adjustments and lateral transshipment is conducted in vial units.

Each hospital starts with an initial stock of vaccine vials.

The administration of second doses is not considered in this model.

Unused vaccine doses are discarded after one business day.

During vaccination, hospitals thaw and prepare the necessary number of vials as required.

mRNA vaccines require extra care in terms of transportation, including cold chain management and storage 20 . Therefore, in situations with unstable demand owing to the aforementioned social factors, the redistribution system of mRNA vaccines is more affected from temporal and physical perspectives. Thus, this study focused on mRNA vaccines and proposed a lateral transshipment policy aimed at optimizing vaccine distribution. This policy ensured an adequate supply while minimizing waste and environmental impacts. Lateral transshipment is often implemented in situations where retailers are in proximity to each other, facilitating the transportation of products within a considerably shorter timeframe. This enhances customer satisfaction and reduces order losses at relatively low costs 21 .

Methodologies such as mixed-integer linear programming (MILP) and discrete event simulation (DES) with lateral transshipment policies have been employed to solve problems related to the specific characteristics of vaccines. These approaches have been utilized in numerous studies to address various challenges in industrial and healthcare settings, including health and inventory management. MILP is a mathematical optimization technique that determines the optimal solution for a given problem based on a user-defined mathematical model. Although it can theoretically determine the optimal solution, actual adaptation to the field is challenging owing to its dimensionality. Consequently, the more responsive framework, DES, is frequently used in the field of inventory management. DES models the operation of a system as a sequence of discrete events over time. Each event occurs at a specific instant and signifies a change in the system state 22 . In contrast to continuous simulation, which models a system’s changes in a continuous time frame, DES jumps from one event to the next.

Under these two methodological pillars, inventory management is aimed at satisfying demand while minimizing costs. Such objectives optimize the stocking levels of on-hand items to consider the trade-off between inventory costs and demands, where inventory costs are mostly considered for holding, ordering, and underage costs. Considerable interest in inventory management has resulted in the consideration of stochastic models, such as newsvendors 23 for a classical inventory issue that has been extensively studied in operations management 24 , 25 . DeYong 26 extended this problem to include price setting using the newsvendor model, highlighting the importance of demand uncertainty in determining the optimal price. Watters 27 explored the role of new communication technologies in electronic news delivery and emphasized the need for comprehensive and personalized news delivery. Besbes 28 further examined the newsvendor problem in the context of decision-making, considering the trade-off between data quality and quantity.

Rastegar 29 and Tavana 30 proposed MILP models for equitable vaccine distribution in developing countries, focusing on influenza and COVID-19 vaccines, respectively. These models consider factors such as the vaccine type, storage requirements, and vulnerable populations. Sarigol 31 introduced a multi-objective order allocation model with product substitution to minimize the number of inefficiently vaccinated individuals, postponed vaccinations, and purchasing costs. Thul 32 proposed a stochastic optimization model for allocating vaccines and testing kits, considering uncertainty and resource scarcity. Wen 33 utilized mixed-integer programming (MIP) to address the challenge of allocating COVID-19 vaccines across diverse groups. They revealed that enhancing the budget resulted in higher vaccination rates, thus enabling more individuals to receive the vaccine and facilitating the attainment of herd immunity with the available vaccine supply. These studies primarily concentrated on the vaccination operations of hospital groups, long-term operations, and factors concerning vaccine recipients, such as age, sex, underlying medical conditions, and the cost of vaccines. In contrast, the present study focused on the effectiveness of a vaccine redistribution policy among individual hospitals, particularly when surplus vaccines are in stock at smaller, non-major hospitals, and assessed its impact on public health.

Alshammari 34 and Arora 35 developed mathematical models to predict vaccination effectiveness, focusing on vaccination thresholds and the delay in the pandemic rise time, respectively. Kim 36 introduced a compartmental model that considered the emergence of mutant viruses and the impact of multiple vaccinations on disease transmission. Vázquez-Abad 37 used a hybrid simulation model to examine the effects of vaccination policies on healthcare systems. Çaglayan 38 attempted to enhance pandemic management, strategizing, and readiness by developing a tool for capacity and workforce planning. This tool, designed using a simulation-based approach, aims to facilitate the implementation and dissemination of mAb treatments for COVID-19.

Collectively, these studies highlighted the crucial role of vaccination in controlling the spread of COVID-19 and the need for further research to optimize vaccination strategies. Despite numerous studies on various aspects of vaccination, our study specifically focused on the operational aspects of vaccine distribution during the COVID-19 pandemic. We focused on the act of vaccination itself and the critical aspect of managing the vaccine inventory. Thus, this study developed and examined a policy for managing vaccine inventory efficiently, addressing the cumulative imbalanced inventory levels caused by discrepancies between supply and demand over operational time buckets, and checking the feasibility of this phrase. A simulation was conducted to analyze the effects of the proposed policy over both short (less than a week) and longer (from 1 week to less than a month) periods to assess its effectiveness over time.

Lateral transshipment redistributes stock from retailers with excess stock to retailers that cannot satisfy customer demands or those facing significant losses owing to high risk 39 . There are two types of lateral transshipments: proactive and reactive. Proactive transshipment involves the prescheduled redistribution of stock among all points in an echelon to minimize handling costs, which is particularly beneficial in the retail sector, where such costs are significant. However, reactive transshipment is triggered by immediate stock shortages at one point, while others have adequate stock. This strategy is more suited to environments where the transshipment costs are lower than the costs of holding excessive inventory and failing to meet immediate demand 40 . Firoozi 41 propose a scenario-based model for a two-stage multi-echelon system, demonstrating the benefits of lateral transshipments and multiple sourcing in reducing costs in 2020. Achamrah 42 examine a two-level spare parts supply chain, incorporating transshipment and substitution under stochastic demands, highlighting their effectiveness in improving supply chain performance and Farghadani-Chaharsooghi and Karimi 43 propose a robust optimization model for PRP incorporating outsourcing, lateral transshipment, and demand uncertainty, developing matheuristic algorithms for large-scale problems. Paul 44 reported that it lowered the costs of slow-moving items with demand driven by nonhomogeneous or homogeneous Poisson processes. Naseraldin 45 integrated lateral transshipments into a location inventory model to optimize the number and locations of retail outlets. Paterson 40 conducted a comprehensive review of the literature on lateral transshipments, highlighting the influence of inventory system elements on transshipment methods. Several studies have focused on lateral transshipment policies for discrete events. Banerjee 46 and Hachicha 47 demonstrated the superiority of lateral transshipment approaches over non-transshipment. Liu 48 reported that different transshipment network structures could significantly impact performance, with the “complete link” structure being the most effective. A lateral transshipment policy was employed to tailor the specific attributes of vaccines in the vaccine inventory DES with demands following a uniform distribution, and its impact effectiveness was analyzed.

As COVID-19 transitions from a pandemic to an endemic phase, the insights gained from our study remain pertinent. The strategies and methodologies outlined here are applicable to the current situation and can serve as a valuable reference for managing vaccine distribution in response to future outbreaks of infectious diseases, such as the Zika virus and Mycoplasma pneumonia. This study provides a deeper understanding of efficient vaccine inventory management during critical health crises.

As mentioned in the introduction, the experiments reflect the problem setting of vaccine management, vaccination operations in hospitals, and vaccine transport between hospitals. The details of the applying assumptions to the model are described in the methods section. Experiments were conducted in two hospitals, considering two cases wherein the distribution of vaccine appointment demands were similar and different. For each scenario, the effectiveness of the policy was analyzed based on various changes in parameters. The mean, standard deviation, and specific parameters for the demand distributions of the two hospitals, denoted by $h^{+}$ and $h^{-}$ , respectively, are presented in Table 1 . Two DES techniques, without lateral transshipment (DES-NLT) and with lateral transshipment (DES-LT), were employed to assess the short-term effectiveness and measure long-term efficiency. The vaccine administration demand for each hospital followed a probability distribution. To compare the effectiveness, the model was run 1,000 times, with averages considered for each cost and the total cost. The study was differentiated into two scenarios based on the nature of the demand distribution: one wherein both hospitals had differing demand distributions (Case 1), and another wherein they were similar (Case 2). Various parameters were adjusted to observe the resultant policy implications, including changes in vaccine vial size | I |, the initial stock of each hospital, and the associated costs. In Case 1, the demand for each hospital was determined by generating random numbers within 0–20 and 0–10, 2000 times, and the mean and standard deviation were calculated. Case 2 followed the same procedure, generating random numbers within 0–17 and 0–15. The Python Numpy package was used to generate demand from a uniform distribution 49 . Simulations were performed using Python SimPy 50 . The study period was segmented into intervals ranging from 1-30 days. To prevent excessively large fluctuations, the demand occurrences were confined within the $\pm 2\sigma$ range of each uniform distribution. The parameters used in the experiments and the demand statistics for Case 1 and Case 2 are summarized in Tables 2 and 3 .

Case 1: Distinct mean and standard deviation

Figure 1 presents the total cost for a two-day operational period at varying initial inventory levels and under different demand distributions. The data indicate a reduction in total costs when implementing the proposed policy. On average, the difference between NLT and LT costs was 30 when the LT policy was applied. Notably, the costs were minimized when both hospitals started with seven vials each. Typically, an increase in initial inventory decreases the total costs. Specifically, it was observed that the cost was lower when the inventory levels are (5,7), as opposed to (7,5), suggesting a more efficient allocation when hospital $h^{-}$ had a higher initial inventory relative to demand and hospital $h^{+}$ had a lower one. This trend underscores the effectiveness of resource management policies.

Average total costs of Case 1 based on initial inventory over a two-day operation period.

Table 4 presents the variation in total cost with change in the initial inventory levels, particularly focusing on the $(h^{+}, h^{-}) = (7,5)$ inventory setup. In the shorter term (1, 2, and 3 days), the policy resulted in a decrease in the total costs. With an initial inventory of seven vials each, DES-LT was more effective than DES-NLT and generated a cost-benefit during the one-day experiment. At the 7-day mark (equivalent to 1 week), the total costs of DES-NLT and DES-LT exhibited similar tendencies. However, over longer periods (10, 20, and 30 days), the effectiveness of the LT policy decreased. For the one-day trial, there was an average 64% reduction in total costs compared with the NLT policy. The initial inventory of seven vials at both hospitals generally resulted in lower costs across all the periods examined. The policy proved economically beneficial in a one-day trial, with cost reductions of 62% and 23% by the end of three days for the two hospitals, respectively. By the end of the week, the policy had maintained its effectiveness. Thus, the policy demonstrated efficiency for shorter durations, particularly when the demand distributions between the two hospitals varied.

Table 5 details the costs for each period for hospitals $h^{+}$ and $h^{-}$ with initial inventories of seven and five vials, respectively, as listed in Table 4 . At the one-day duration, the total cost decreased to 49.92% of NLT, with smaller decreases to 22.57% and 8.35% as days are increased to two and three days respectively. Similarly, overage cost decreased by 11%, 9.84%, and 7.09%, and reorder cost decreased by 2% for each day. The increased number of vaccinations due to the LT policy resulted in an increase in revenue and a decrease in total costs. When the LT policy is advantageous, the average overage, underage, and reorder costs are lower than under the NLT policy. Thus, lateral transshipment mitigated issues related to surplus vaccines and missed appointments owing to fluctuating demand. Moreover, it appeared to reduce the frequency of both excessive and insufficient vaccine doses, resulting in fewer reorders compared with the NLT policy. Thus, lateral transshipment was the primary factor influencing the economic effect (or cost reduction). A comparison of the total costs under the NLT and LT policies in Table 5 revealed that the total cost was significantly influenced by average underage and reorder costs. These two factors are critical for analyzing the policy’s impact, particularly when hospitals have different demand distributions.

On day 30, the NLT policy demonstrated clear superiority in terms of total cost across 1000 repetitions, even though the LT policy achieved better overage and reorder costs. This suggests that the NLT policy may be more suitable for long-term operations overall. However, there were instances where the NLT policy performed significantly worse than the LT policy, occurring 2-3 times more frequently (Supplementary Table S1 , S2 in Supplementary material). This discrepancy was found to result from extreme variations in cumulative demand sampled from the given distribution, which magnified the relative benefits of the LT policy in those specific cases.

Tables 6 and 7 present the total costs with changes in $c_{o}$ and $c_{u}$ and the variations in total costs with different doses per vial, respectively. Initially, the proposed policy demonstrated superior inventory management compared to the comparative policy on days one, two, and three. However, from day seven onwards, the lateral transshipment policy became ineffective when $c_{u}$ was equal to or greater than $c_{o}$ . Specifically, when $c_{u}$ was lower, a larger gap between $c_{o}$ and $c_{u}$ (i.e., a higher $c_{o}$ ) tended to reduce the total costs. This indicated that the total cost decreased more when $c_{u} \le c_{o}$ than when $c_{u} \ge c_{o}$ . In $(c_{o},c_{u})=(15,20)$ and $(c_{o},c_{u})=(20,15)$ , for lower underage costs, the difference (profit conversion) was usually two or greater. This is particularly evident in the case of $(c_{o},c_{u})=(20,5)$ during the 10-day experiment, wherein the LT policy proved to be more effective. Moreover, Table 5 indicates that the average underage cost was approximately 10 times that of the average overage cost. Therefore, lowering $c_{u}$ significantly reduced costs and increased profitability, which highlights the importance of managing underage costs. Regarding the demand distributions and doses per vial, the case of $|I|=5$ yielded the most effective results with greater robustness than the others.

As | I | decreased, the cost decreased and vice-versa. An increase in | I | is associated with an increase in the initial inventory. If the default parameters are $|I|=5$ and $|I|=3$ , this implies a 40% reduction in the initial inventory for the default parameter setting; if $|I|=9$ , this implies an 80% increase. Therefore, as | I | increases, the total cost decreases, and consequently, profits may be made. The LT policy transports vaccines to satisfy vaccine shortages in hospitals. However, the unit of vaccine shortage is a dose, whereas the unit of transported vaccine is a vial. Therefore, an appropriate | I | that is neither excessively large nor small is required. We have shown that a value of five out of three, five, seven, and nine was appropriate.

Case 2: Homogenous mean and standard deviation

Average total cost of Case 2 based on initial inventory over a 2-day operation period.

Figure 2 illustrates the average total cost influenced by the initial inventory on the second day of the experiment, under circumstances wherein both hospitals experienced similar demand patterns. Herein, the LT policy did not have any significant effect, in contrast to the outcomes observed in Case 1. When the initial inventories were either (5, 7) or (7, 5), the cost difference was minimal. With an increase in the total vaccine inventory, the total cost decreased, which was attributed to the enlarged size of the inventory itself. Table 8 echoes the trends observed in Fig. 2 , indicating that the LT policy was less effective across all periods under similar demand conditions.

This diminished effectiveness is attributed to homogeneous demand distribution, resulting in a disproportionate reduction in inventory. Table 9 presents the average costs when each hospital began with seven vials. In Case 2, it is evident that the reorder costs significantly affected policy effectiveness. Although the average overage and underage costs by policy did not exhibit significant enhancement, the difference in reorder costs by policy increased as the experimental period increased. Further experiments with $(c_{u}$ , $c_{o})$ also showed that the LT policy did not verify its extensive effectiveness in this case.

In contrast to Case 1, the results varied according to the number of doses per vial, as shown in Table 10 . Similar to the observations in Case 1, as the number of doses per vial (| I |) increased, the costs generally decreased and profits increased. In particular, the largest decrease was seen when | I | increased from 3 to 5. The total cost decreased by an average of 11 times for NLS and 7 times for LT. This trend is attributable to the fact that larger initial inventories resulted in lower costs and higher profits. For doses three, five, and seven, the disparity in total costs between the policies widened with the length of the experimental period. However, for | I |=9, the NLT policy generated higher revenue than the LT policy during the initial setup period, ranging from one day to 1 week, with no significant change in the differential as time progressed. This pattern was not observed at the other doses. Notably, in 10, 20, and 30 days of the experiment, the total revenue of the LT policy exceeded that of the NLT. Thus, in scenarios with similar demand, this shows that the LT policy can be more effective over the long term, with a larger inventory and an increased number of doses per vial.

To further test the realism of the model, we varied the lateral transshipment time from 1 to 2 hours, i.e. whether it comes within an hour or not. The parameter settings were set as $|I|=5$ and $init = (7,5)$ for the default parameters. Table 11 shows the results for Case 1. Similar to the Case 1 experiment, the cost decreases by day 3. For 1, 2, and 3 days, the proposed policy reduces the NLT cost by 40.45%, 19.45%, and 9.17%, respectively. The cost seemed to increase within 5% compared to Table 5 in Case 1. The LT policy determines the lateral transshipment to maximize the demand at that time. However, if it fails to arrive within one hour, the demand is not satisfied, so it incurs additional underage cost (penalty), which increases the cost. On the other hand, for the days being greater than 3, i.e., days being longer than a week, the LT policy was not superior to NLT, where the trend is inline with the previous experiment.

The proposed lateral transshipment policy was demonstrated to be effective for relatively short periods, such as 1, 2, 3, and 7 days, particularly when each hospital experienced distinct demand distributions. A significant portion of the total cost was consistently attributed to underage and reorder costs across the different scenarios. Thus, demand often exceeded initial stock, indicating the potential to reduce costs by maintaining an adequate inventory level. The strategy and timing of the reordering significantly influenced the overall cost. Specifically, the implemented reorder policy requested twice the average demand in doses, factoring in arrival time, whenever the available stock fell below 1.5 times the average demand for each hospital, with a restocking time of 2 h. This frequent reordering in response to the demand surpassing inventory levels resulted in increased volumes and costs of reorders, coupled with a higher count of underage doses during the 2 h shortages. Moreover, the effect of these factors became more pronounced for experimental periods extending beyond 10 days.

This study introduced a lateral transshipment policy similar to the ( s , S ) reorder policy. To minimize the total costs, strategies that consider the specific characteristics of vaccines must be devised. The effectiveness of the policy was determined by variations in | I | (doses per vial) and $c_{o}$ , $c_{u}$ (overage and underage costs per dose), with the profitability of vaccinations being a significant factor. In the lateral transshipment policy, parameters such as p , $c_{o}$ , and $c_{u}$ were considered; as p ( price per dose) increased, the number of transported vials varied. Costs were influenced by changes in the doses per vial. Thus, the experiments tested the variations in $c_{o}$ , $c_{u}$ , and | I | independently; however, future strategies should consider varying these factors together with p .

We did not compare our results with those of the MILP for two reasons. First, the computation process of MILP is time-intensive. Even with identical parameter settings, the computation time required to compute varies significantly across the different demand distributions, and this variability persists even over the shortest experimental durations. As our simulation was executed 1000 times, replicating it with MILP for more complex experimental durations is impractical because of the extensive computation time required. Second, the operational dynamics of the simulations conducted differed from those of the MILP. In our simulation, decisions were made on an hourly basis without foresight of future demand. In contrast, MILP knows the demand at every interval, allowing for optimal solution calculation. This fundamental difference renders any direct comparison of the two approaches not particularly insightful. Thus, replicating the simulation policy using MILP is challenging owing to these computational demands. Consequently, we did not consider the MILP’s solutions. Nevertheless, the MILP’s discrete-time constraints offered a valuable structure for designing our DES and guided us in aligning our simulation framework with that of the MILP, including the reordering and LT policies.

To mitigate sudden demand spikes, we conducted experiments within $\pm 2\sigma$ of the mean of the uniform distribution, and the current policies resembled rule-based approaches. In addition, in the context of demand, under-aged and over-aged doses were measured in doses, whereas the amounts of reordering and LT were calculated in vials, which resulted in further complexity and reduced the policy effectiveness with more unstable distributions. Thus, future research should explore dynamic or robust policies using reinforcement learning and Markov decision process (MDP)-based simulations to accommodate a wider range of demand scenarios 51 , 52 .

Vaccines have emerged as a critical measure against COVID-19; however, uncertainties in demand owing to factors such as side effects, religious objections, and absenteeism have caused unstable vaccine demand, resulting in excess vaccines and subsequent social, economic, and environmental challenges. This study evaluated the effectiveness of a lateral transshipment policy in managing the inventory of short-term vaccines in such stochastic situations. Inheriting the basic knowledge of the nature of the problem from the MILP model, this study modeled a DES with lateral transshipment and reordering policies for mRNA-based vaccines across two hospitals, accompanied by a DES of the scenario. Consequently, various timeframes ranging from 1 to 30 days were tested.

The lateral transshipment policy employed lateral transshipment based on the availability (TBA) policy 46 to decide on the quantity to transfer, either less than or equal to a vial’s amount. Whereas, the reorder policy was structured around the ( s , S ) inventory system. The transshipment strategy proved beneficial, particularly when demand distributions varied among hospitals, showing greater effectiveness than the no-transshipment approach for up to seven days. The impact of the policy was assessed based on factors such as the profitability of vaccination, costs associated with surpluses or shortages of vaccines, and the availability of doses per vial. Overall, lateral transshipment was more effective than non-transshipment.

However, the complexity involved in tailoring the policies to the unique characteristics of vaccines, determining strategies on a per-dose basis, and applying these strategies on a per-vial basis resulted in instances where rule-based or similar transport policies were less effective. Consequently, there is a need for advanced policy research, particularly the application of MDP-based simulation with reinforcement learning which can be employed for learning-based adaptive control 53 in the DES context, to develop more sophisticated and effective strategies.

To address the inventory management challenges, we employed MILP and DES. Both methods offer advantages in problem integration by combining the MILP with lateral transshipment. Because of the computational difficulty, simulations are the preferred approach. The discrete operation of the inventory in a simulation facilitated the incorporation of aspects of this method. Our research methodology was structured into two distinct phases. The first stage involved designing a mathematical inventory management model that minimized costs under uncertain demand conditions. The second stage focused on analyzing the lateral transshipment policy through simulations that replicated the same environmental conditions and included lateral transshipment variables.

Mixed integer linear programming

The parameters and decision variables used in MILP are shown in the following Tables 12 and 13 :

In our model, time slots T represent the hospital’s operating hours, spanning n hours over k days, resulting in $|T| = |N|\cdot |K|$ when $demand^{h,t}\sim \textit{U}(\mu ,\sigma )$ . The reorder cost encompasses the per- vial usage and transshipment costs. In the case of lateral transshipment, the cost incurred is solely for transportation purposes. We regard profit as a social benefit that prevents the spread of epidemic diseases through vaccination. Each vaccine vial contained | I | doses, denoted by | I |. Let p , $c_{u}$ , and $c_{o}$ represent the revenue per dose when vaccinated, cost per dose when not administered, and cost per dose for leftover vaccines, respectively. Here, p symbolizes the benefit, and $c_{u}$ and $c_{o}$ represent the penalties. The objective of this problem was to maximize the number of vaccinated people and minimize the number of unvaccinated individuals. Thus, it minimized the total costs incurred during vaccination. Therefore, the importance hierarchy was $p > c_{u} \ge c_{o}$ 54 . Minimizing costs in this context equates to maximizing revenue. The initial inventory for each hospital $init_{h}$ was measured in vials. Considering the vaccine appointment demands of two hospitals, $h^{+}$ and $h^{-}$ , each with their respective means $(\mu _{h^{+}})$ and standard deviations $(\sigma _{h^{+}})$ , we formulated a problem that incorporated lateral transshipment.

The specific objective and constraint expressions for this problem are as follows.

The objective function ( 1 ) in our model was designed to minimize the total vaccination cost over the period $|T| = |N|\cdot |K|$ . This function comprised several costs, including reordering, lateral transshipment, underage, overage, profit, and holding. To minimize costs, the objective function was formulated as the total cost subtracted from profit.

Constraints ( 2 – 6 ) describe the costs involved in the objective function. Profit was calculated as the total number of doses sold during the period minus the total cost associated with the vials used for vaccination. The cost per used vial, along with transportation costs, was included to represent the cost of reordering. $Cost_T$ denotes the transportation cost of transported vials. $Cost_O$ and $Cost_U$ represent the costs per dose for overage and underage vaccines, respectively. Equation ( 7 ) addresses the underage dose that occurs if the demand of a hospital is lower than the number of doses administered, resulting in leftover doses. Constraint ( 8 ) defines the overage dose, which is the quantity of vaccine remaining at the end of the day, and is thus discarded. The calculations of the overage dose amount and associated costs are included here. Constraints ( 9 ) and ( 10 ) establish the relationship between the vial and dose. Through the binary variables x and y and a large number denoted by M , the model ensured that if any dose was used, the corresponding vial was considered open; if no dose was used, the vial count remained 0.

Constraints ( 11 – 14 ) establish the directional nature of lateral transshipment, indicating that it is unidirectional rather than bidirectional. Equations ( 15 – 18 ) depict the dynamics of the vaccine inventory over period T . For example, at $t=1$ (the first hour of day 1), the vaccine inventory was reduced from its initial level by the scheduled doses plus vials sent to other hospitals and increased by vials received from other hospitals. At $t=2$ , the inventory from the previous hour was adjusted by subtracting the demand and adding the transported vials. Constraints ( 15 – 16 ) are delineated separately to accommodate the indexing notation for reorders.

Constraint ( 17 ) pertains to inventory updates for the final hour of the day. Alongside constraint ( 18 ), which addresses hours other than 1 and 2, these constraints account for the exclusion of vaccines opened in the last hour and overage vaccines that are required to be discarded. Constraint ( 18 ) updates the vaccine inventory for times t excluding 1 and 2, thus increasing the inventory by the vials ordered 2 h prior and those received from other hospitals and decreasing it by the vials transported and doses administered. Because the inventory is measured in doses, Constraint ( 19 ) specifies the quantity of vaccine vials in the hospital. Equation ( 20 ) relates to reordering, which requires 2 h, and stipulates that no orders can be placed after hour $n-1$ each day. Constraints ( 21 – 33 ) define the settings and ensure the non-negativity of each decision variable.

Discrete event simulation with lateral transshipment policy

The potential complexity of daily problems that may not be solvable within the given time limit (3600 s) using MILP and DES was utilized for policy analysis. The simulation environment mirrored the mathematical formulation by incorporating a lateral transshipment policy. Both MILP and DES operated under the assumption that the demand for vaccine appointments at two hospitals, $h^{+}$ and $h^{-}$ , followed a uniform distribution with respective means $(\mu _{h^{+}}, \mu _{h^{-}})$ and standard deviations $(\sigma _{h^{+}}, \sigma _{h^{-}})$ . Further, it was considered that the same individuals attended appointments at consistent times. This study focused on reactive lateral transshipments. The lateral transshipment policy extended Banerjee’s TBA policy to accommodate the specific characteristics of vaccines 46 .

The DES process was structured into six distinct phases: appointment visits, detection of vaccine stockout, execution of lateral transshipment, renewal of vaccine stock, reorder decisions, and finality of the day’s operations. This approach provided a comprehensive understanding of the dynamics involved in vaccine distribution and management under various demand scenarios.

The parameters of the simulation are shown in Table 14 , which contain the same meaning with the proposed MILP.

Step 1. Appointment visit

Patients with appointments, as determined using a uniform distribution model, arrive at the hospital.

Step 2. Detection of vaccine stockout

The vaccine inventory is calculated for each hospital after completing all appointments have been fulfilled.

If $EOH_{h,t}$ across different hospitals is negative, the process moves to Step 3; otherwise, it proceeds to Step 4.

Step 3. Execution of lateral trans-shipment

Step 3.1. Decision on lateral transshipment

Assess the quantity of the vaccine that can be transported and the extent of vaccine dose shortage.

Because transportation is conducted in vials, Eqs. ( 36 ) and ( 37 ) can be expressed as Eqs. ( 38 ) and ( 39 ), respectively:

In the proposed model, the variable $VAS_{h,t}$ was always rounded down and $VSO_{h,t}$ was rounded up. This rounding approach was because of the constraint in our problem setting, where balance adjustments could not be made through vial units. If the $AS_{h,t}$ value for hospitals capable of transporting vaccines and the $SO_{h,t}$ value for hospitals experiencing vaccine shortages are both nonzero, the process advances to Step 3.2. However, if either of these values is zero, the procedure proceeds directly to Step 4.

Step 3.2. Decision on lateral transshipment quantity

When transporting vaccine vials from hospital $h^{+}$ to hospital $h^{-}$ , the quantity transported is determined as follows:

The amount of transshipment is determined under the two conditions.

$TR=SO$ , then The transshipment amount does not change. Proceed to the next step.

$TR=AS$ , then The decision to transport one fewer vaccine vial involves an evaluation of the trade-off between the revenue generated and the residual cost incurred if the vaccine is transferred to another hospital against the overage cost associated with the movement of one less vaccine. This assessment balances the financial implications of either keeping or reallocating the vaccine to optimize resource utilization and cost-efficiency.

Step 4. Renewal of the vaccine stock

Update the hospital vaccine inventory after lateral transshipment.

Step 5. Making reorder decisions

The reordering strategy is based on the ( s , S ) policy 55 . When the current inventory at any hospital drops below 1.5 times the average demand measured in doses, a reorder is initiated for twice the average demand calculated in dose vials, while also considering the time required for the order to arrive. If the expected arrival time of the reordered vaccines falls outside the hospital’s operational hours, a reorder request is not executed.

Step 6. Finality of the day’s operation

If it is the final hour of the day, calculate and account for the cost of any surplus dose, retaining only the vial, and then proceed back to step 1. Should this not be the end of the day, Step 1 should be repeated immediately. As the day concludes, any dose left in a partially used vial is disposed of, resulting in an incurred cost for the excess.

Because demand is derived from a probabilistic distribution, we determine the impact of policies by averaging the results from numerous iterations. Figure 3 illustrates the overall process of the simulation.

Discrete event simulation overview.

Data availability

The datasets generated during the current study are not publicly available due to that the data is randomly sampled from an uniform distribution following a mean and standard deviation reported in this paper, but are available from the corresponding author on reasonable request.

Hubbard, S. & Bais, R. Assessing unused residual Pfizer-BioNTech COVID-19 vaccine: A community observational study. medRxiv 2021–08 (2021).

Fauci, A. S. The story behind COVID-19 vaccines (2021).

Seneviratne, S., Jayarajah, U., Abeysuriya, V., Rahman, A. & Wanigasuriya, K. COVID-19 vaccine landscape. (2020).

Yan, Y. et al. The COVID-19 vaccines: Recent development, challenges and prospects. Vaccines 9 , 349 (2021).

Article PubMed PubMed Central Google Scholar

Schoenmaker, L. et al. mRNA-lipid nanoparticle COVID-19 vaccines: Structure and stability. Int. J. Pharm. 601 , 120586. https://doi.org/10.1016/j.ijpharm.2021.120586 (2021).

Holm, M. R. & Poland, G. A. Critical aspects of packaging, storage, preparation, and administration of mRNA and adenovirus-vectored COVID-19 vaccines for optimal efficacy. Vaccine 39 , 457 (2021).

Article PubMed Google Scholar

Uddin, M. N. & Roni, M. A. Challenges of storage and stability of mRNA-based COVID-19 vaccines. Vaccines 9 , 1033 (2021).

Control, K. D. & Agency, P. COVID-19 vaccination information for healthcare providers. https://ncv.kdca.go.kr/board.es?mid=a12101000000 &bid=0031 . (Accessed on 12/29/2023).

Rosenberg, E. S. et al. COVID-19 vaccine effectiveness in New York state. N. Engl. J. Med. 386 , 116–127 (2022).

Mathieu, E. et al. A global database of COVID-19 vaccinations. Nat. Hum. Behav. 5 , 947–953 (2021).

Al-Rashid, M., Al-Hamad, A., Al-Hamad, A. & Yasin, Y. Myths, misconceptions, and hesitancy in people residing in Qatar toward mRNA COVID-19 vaccines: An experience exchange from Qatar University Health Center. In Qatar Medical Journal , vol. 2022, 20 (HBKU Press Qatar, 2022).

Pierri, F. et al. Online misinformation is linked to early COVID-19 vaccination hesitancy and refusal. Sci. Rep. 12 , 5966 (2022).

Article ADS PubMed PubMed Central Google Scholar

Lee, S. K., Sun, J., Jang, S. & Connelly, S. Misinformation of COVID-19 vaccines and vaccine hesitancy. Sci. Rep. 12 , 13681 (2022).

Rudloff, J. P., Hutmacher, F. & Appel, M. Post-truth epistemic beliefs rooted in the dark factor of personality are associated with higher COVID-19 vaccination refusal. Sci. Rep. 13 , 4254 (2023).

Musamih, A. et al. Blockchain-based solution for COVID-19 vaccine waste reduction. J. Clean. Prod. 372 , 133619 (2022).

Cheong, T. Joint inventory and transshipment control for perishable products of a two-period lifetime. Int. J. Adv. Manuf. Technol. 66 , 1327–1341 (2013).

Article Google Scholar

Ganesan, S. et al. Vaccine side effects following COVID-19 vaccination among the residents of the UAE—an observational study. Front. Public Health 10 , 876336 (2022).

Vaccination no-shows: Why are thousands of appointments going unfilled? | CTV News. https://www.ctvnews.ca/health/coronavirus/vaccination-no-shows-why-are-thousands-of-appointments-going-unfilled-1.5377278 . (Accessed on 12/29/2023).

Unused Covid-19 vaccines worth €95m discarded by HSE last year-the irish times. https://www.irishtimes.com/health/2023/04/24/unused-vaccines-worth-95m-discarded-by-hse-last-year/ . (Accessed on 12/29/2023).

Fahrni, M. L. et al. Management of COVID-19 vaccines cold chain logistics: A scoping review. J. Pharm. Policy Pract. 15 , 16 (2022).

Li, Z., Li, H. & Xu, X. Efficient lateral transshipment policy for multi-retailer system. In 2019 IEEE/SICE International Symposium on System Integration (SII) , 756–763 (IEEE, 2019).

Olson, D. L. Software process simulation. In Bidgoli, H. (ed.) Encyclopedia of Information Systems , 143–153, https://doi.org/10.1016/B0-12-227240-4/00163-5 (publisherElsevier, addressNew York, 2003).

Qin, Y., Wang, R., Vakharia, A. J., Chen, Y. & Seref, M. M. The newsvendor problem: Review and directions for future research. Eur. J. Oper. Res. 213 , 361–374 (2011).

Article MathSciNet Google Scholar

Porteus, E. L. The newsvendor problem. Building intuition: Insights from basic operations management models and principles 115–134 (2008).

Cheong, T. & Kwon, K. The robust min-max newsvendor problem with balking under a service level constraint. S. Afr. J. Ind. Eng. 24 , 83–97 (2013).

Google Scholar

DeYong, G. D. The price-setting newsvendor: Review and extensions. Int. J. Prod. Res. 58 , 1776–1804 (2020).

Watters, C. R., Shepherd, M. A. & Burkowski, F. J. Electronic news delivery project. J. Am. Soc. Inf. Sci. 49 , 134–150 (1998).

Besbes, O., Ma, W. & Mouchtaki, O. Quality vs. quantity of data in contextual decision-making: Exact analysis under newsvendor loss. arXiv preprint arXiv:2302.08424 (2023).

Rastegar, M., Tavana, M., Meraj, A. & Mina, H. An inventory-location optimization model for equitable influenza vaccine distribution in developing countries during the covid-19 pandemic. Vaccine 39 , 495–504 (2021).

Tavana, M., Govindan, K., Nasr, A. K., Heidary, M. S. & Mina, H. A mathematical programming approach for equitable COVID-19 vaccine distribution in developing countries. Ann. Oper. Res. 1–34 (2021).

Sarigol, I., Ozdemir, R. G. & Bayraktar, E. Covid 19 vaccine order allocation: an optimization model with substitution. J. Humanit. Logist. Supply Chain Manag. 13 , 125–139 (2023).

Thul, L. & Powell, W. Stochastic optimization for vaccine and testing kit allocation for the COVID-19 pandemic. Eur. J. Oper. Res. 304 , 325–338 (2023).

Article MathSciNet PubMed Google Scholar

Wen, Z., Yue, T., Chen, W., Jiang, G. & Hu, B. Optimizing COVID-19 vaccine allocation considering the target population. Front. Public Health 10 , 1015133 (2023).

Alshammari, F., Mustafa, A., Omer, E. & Omer, F. A simulation model of COVID-19 epidemic based on vaccination and treatment. Eur. J. Pure Appl. Math. 16 , 2450–2460 (2023).

Arora, C. et al. Mathematical modelling to predict the effect of vaccination on delay and rise of COVID-19 cases management. Mathematics 11 , 821 (2023).

Kim, Y. R., Choi, Y.-J. & Min, Y. A model of COVID-19 pandemic with vaccines and mutant viruses. PLoS ONE 17 , e0275851 (2022).

Vázquez-Abad, F. J., Dufresne, D. & Park, G.-B. Impact of vaccination policies for covid-19 using hybrid simulation. In 2022 Winter Simulation Conference (WSC) , 545–556 (IEEE, 2022).

Çaglayan, Ç. et al. Staffing and capacity planning for SARS-CoV-2 monoclonal antibody infusion facilities: A performance estimation calculator based on discrete-event simulations. Front. Public Health 9 , 770039 (2022).

Tagaras, G. & Cohen, M. A. Pooling in two-location inventory systems with non-negligible replenishment lead times. Manage. Sci. 38 , 1067–1083 (1992).

Paterson, C., Kiesmüller, G., Teunter, R. & Glazebrook, K. Inventory models with lateral transshipments: A review. Eur. J. Oper. Res. 210 , 125–136 (2011).

Firoozi, M., Babai, M. Z., Klibi, W. & Ducq, Y. Distribution planning for multi-echelon networks considering multiple sourcing and lateral transshipments. Int. J. Prod. Res. 58 , 1968–1986 (2020).

Achamrah, F. E., Riane, F. & Limbourg, S. Spare parts inventory routing problem with transshipment and substitutions under stochastic demands. Appl. Math. Model. 101 , 309–331 (2022).

Farghadani-Chaharsooghi, P. & Karimi, B. A robust optimization approach for the production-routing problem with lateral transshipment and outsourcing. RAIRO-Oper. Res. 57 , 1957–1981 (2023).

Paul, A. & Yenipazarli, A. A note on lateral transshipment under point-process driven demand. Oper. Res. Lett. 41 , 159–163 (2013).

Naseraldin, H. & Herer, Y. T. A location-inventory model with lateral transshipments. Naval Res. Logist. 58 , 437–456 (2011).

Banerjee, A., Burton, J. & Banerjee, S. A simulation study of lateral shipments in single supplier, multiple buyers supply chain networks. Int. J. Prod. Econ. 81 , 103–114 (2003).

Hachicha, W., Afli, A. & Elleuch, F. Evaluating emergency lateral transshipment policies using simulation-based approaches. In 2013 International Conference on Advanced Logistics and Transport , 470–475 (IEEE, 2013).

Liu, H. Simulation of lateral transshipment in order delivery under e-commerce environment. Int. J. Simul. Process Model. 11 , 51–65 (2016).

Article ADS Google Scholar

Harris, C. R. et al. Array programming with NumPy. Nature 585 , 357–362. https://doi.org/10.1038/s41586-020-2649-2 (2020).

Overview â€” simpy 4.1.1 documentation. https://simpy.readthedocs.io/en/latest/ . (Accessed on 01/17/2024).

Chong, J. W., Kim, W. & Hong, J. Optimization of apparel supply chain using deep reinforcement learning. IEEE Access 10 , 100367–100375 (2022).

Khan, M. A. et al. Effective demand forecasting model using business intelligence empowered with machine learning. IEEE Access 8 , 116013–116023 (2020).

Seo, D.-W., Chang, K., Cheong, T. & Baek, J.-G. A reinforcement learning approach to distribution-free capacity allocation for sea cargo revenue management. Inf. Sci. 571 , 623–648 (2021).

Cristea, M., Cristea, C., Tirnovan, R.-A. & Fagarasan, C. Optimal sizing of electrical energy storage system for a household with a grid-connected PV system using inventory model. In 2020 International Conference and Exposition on Electrical And Power Engineering (EPE) , 067–071 (IEEE, 2020).

Zheng, Y.-S. & Federgruen, A. Finding optimal (s, S) policies is about as simple as evaluating a single policy. Oper. Res. 39 , 654–665 (1991).

Download references

This research was supported by Korea Institute for Advancement of Technology (KIAT) grant funded by the Korea government (MOTIE) (P0020649, The Competency Development Program for Industry Specialist) and the National Research Foundation of Korea (NRF) grant funded by the Korean government (MSIT) (No. NRF-2021R1F1A105930213).

Author information

Authors and affiliations.

School of Industrial and Management Engineering, Korea University, Seoul, South Korea

Hyungju Kim, Hyungjoo Cha & Taesu Cheong

You can also search for this author in PubMed Google Scholar

Contributions

T.C. conceived and conceptualized the idea regarding the problem and acquired the funding. H.C. formulated the mathematical model and designed experiments. H.K. designed discrete event simulation and performed formal analysis through computational experiments. H.K wrote the manuscript and T.C. and H.C. did the review and editing. All authors reviewed the manuscript.

Corresponding authors

Correspondence to Hyungjoo Cha or Taesu Cheong .

Ethics declarations

Competing declarations.

The authors declare no competing interests.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary Information

Supplementary information., rights and permissions.

Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/ .

Reprints and permissions

About this article

Cite this article.

Kim, H., Cha, H. & Cheong, T. Analyzing economic effect on mRNA vaccine inventory management with redistribution policy. Sci Rep 14 , 20425 (2024). https://doi.org/10.1038/s41598-024-71322-5

Download citation

Received : 14 March 2024

Accepted : 27 August 2024

Published : 03 September 2024

DOI : https://doi.org/10.1038/s41598-024-71322-5

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Lateral transshipment
Uncertainty
Discrete event simulation

By submitting a comment you agree to abide by our Terms and Community Guidelines . If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.

Quick links

Explore articles by subject
Guide to authors
Editorial policies

Information

Author Services

Initiatives

You are accessing a machine-readable page. In order to be human-readable, please install an RSS reader.

All articles published by MDPI are made immediately available worldwide under an open access license. No special permission is required to reuse all or part of the article published by MDPI, including figures and tables. For articles published under an open access Creative Common CC BY license, any part of the article may be reused without permission provided that the original article is clearly cited. For more information, please refer to https://www.mdpi.com/openaccess .

Feature papers represent the most advanced research with significant potential for high impact in the field. A Feature Paper should be a substantial original Article that involves several techniques or approaches, provides an outlook for future research directions and describes possible research applications.

Feature papers are submitted upon individual invitation or recommendation by the scientific editors and must receive positive feedback from the reviewers.

Editor’s Choice articles are based on recommendations by the scientific editors of MDPI journals from around the world. Editors select a small number of articles recently published in the journal that they believe will be particularly interesting to readers, or important in the respective research area. The aim is to provide a snapshot of some of the most exciting work published in the various research areas of the journal.

Original Submission Date Received: .

Active Journals
Find a Journal
Proceedings Series
For Authors
For Reviewers
For Editors
For Librarians
For Publishers
For Societies
For Conference Organizers
Open Access Policy
Institutional Open Access Program
Special Issues Guidelines
Editorial Process
Research and Publication Ethics
Article Processing Charges
Testimonials
Preprints.org
SciProfiles
Encyclopedia

Article Menu

Subscribe SciFeed
Recommended Articles
Author Biographies
Google Scholar
on Google Scholar
Table of Contents

Find support for a specific problem in the support section of our website.

Please let us know what you think of our products and services.

Visit our dedicated information section to learn more about MDPI.

JSmol Viewer

Explainable ai in manufacturing and industrial cyber–physical systems: a survey.

1. Introduction

Trustworthiness: In order to use the system predictions in real world applications, the user needs to be trust the applied model. Offering an explanation for a prediction is an important aspect for ensuring human trust and the effective use of ML, if the explanations are faithful and intelligible [ 8 ].
Causality: Causality reveals the cause-and-effect relationship between feature space and possible outputs. Assigning a set of causes for an effect demands wide knowledge, as ML models try to find correlations between the features.
Transferability: In general, a model is usually trained and tested based on limited data. One reason for pursuing model explainability is to properly utilize a trained model in another domain with similar characteristics. Hence, it can be referred to as reusability.
Informativeness: Informativeness is the information that an XAI model provides about how it works in order to avoid misconceptions. The model explains the relations inside the box and increases the knowledge of the user regarding the internal process.
Confidence: A measure that provides an expectation that a decision will prove to be correct or incorrect. The measure should always be assessed within a system where reliability is a concern. Therefore, an explainable model designed for this purpose must offer a confidence level for its predictions.
Fairness: ML algorithms are products of their data and any bias in the input data will influence the attained results and avoid fair conclusions. An XAI system could reveal imbalances within the data and ensure fairness in ML models.
Accessibility: Explainability can be considered as a tool for improving internal process of ML models. It gives the users and non-professionals the ability to tune performance based on their requirements.
Interactivity: This goal is considered for models that require interaction with end-users. The model should describe the decision made and the choices considered, then present the explanation in straightforward, natural language to resolve ambiguity.
Privacy Awareness: The ability to explain the logic in a model could provide a tool for assessing the privacy. An opaque model may capture sensitive data and cause a privacy breach.

2. XAI in Manufacturing and Industrial Systems

2.1. product development, 2.2. process control and automation, 2.3. inventory management, 2.4. fault detection and diagnosis, 2.5. predictive maintenance.

Click here to enlarge figure

2.6. Product Quality

3. xai in industrial cyber–physical systems, cyber-security, 4. discussion and future directions.

Focus areas of XAI in manufacturing: In the literature, predictive maintenance, fault diagnosis and prognosis emerge as the most extensively discussed fields where XAI is applied within manufacturing. Conversely, other use cases such as product development, process control, and inventory management are rarely addressed or explored in this context.
Need for tailored explanations: It was noted that the majority of XAI explanations are primarily conveyed through feature importance. However, given the diverse range of users in the manufacturing industry, including machine operators, engineers, scientists, and managers, it is essential to tailor explanations based on the specific expertise and comprehension levels of the intended users, thus ensuring optimal understanding and usability.
Limitations of existing XAI methods: It was observed that most of the explanations were generated using post hoc methods like SHAP and LIME, covering both global and local perspectives. Nevertheless, these methods exhibited limitations in delivering real-time insights and actionable recommendations for immediate decision-making.
Advancing XAI techniques: There could be further advancements in XAI techniques tailored specifically for manufacturing applications. This could include the development of hybrid approaches that combine traditional AI methods with XAI techniques to achieve optimal transparency and interpretability while maintaining high performance. Besides, addressing challenges related to scalability, robustness, and compliance with industry regulations will be crucial for the widespread adoption of XAI in industrial settings.
Real-time XAI: There could be a focus on real-time XAI capabilities to enable dynamic decision-making and adaptation in rapidly changing industrial environments.
XAI and emerging technologies: The integration of XAI into emerging technologies such as the IoT and edge computing could open up new possibilities for enhancing transparency and interpretability in this domain.
Regulatory compliance: In the context of ICPSs and industrial settings, adherence to industry standards and regulations is particularly critical due to the potential impact on safety, security, reliability, and performance. For example, safety-critical domains such as healthcare, automotive, and aerospace have stringent regulatory requirements governing the development and deployment of AI systems to ensure patient safety, vehicle reliability, and aviation security. Therefore, any future trends in XAI within ICPSs and industrial settings must take into account the unique regulatory landscape of each industry. This includes conducting thorough assessments of regulatory requirements, integrating compliance measures into the design and development process of AI systems, and establishing transparent mechanisms for documenting and auditing XAI implementations. Furthermore, collaboration between industry stakeholders, regulatory bodies, and AI researchers is essential to address regulatory challenges effectively and ensure that XAI techniques align with industry standards and regulations. By prioritizing compliance and transparency, organizations can build trust in AI systems and facilitate their widespread adoption across diverse industrial sectors.

5. Conclusions

Author contributions, conflicts of interest, abbreviations.

AHU	Air handling unit
ACE	Automated concept-based explanation
AI	Artificial intelligence
ANN	Artificial neural network
ARM	Association rule mining
ASV	Asymmetric Shapley values
BB	Balanced blagging
CAM	Class activation map
CEM	Contrastive explanation method
CNN	Convolutional neural network
CP	Ceteris peribus
CPS	Cyber–physical system
CWConv	Continuous wavelet convolutional
CybSec	Cyber-security
DCAE	Deep convolutional autoencoder
DCNN	Deep convolutional neural network
DeconvNet	Deconvolutional network
DeepLIFT	Deep learning important features
DICE	Diverse counterfactual explanations
DIFFI	Depth-based isolation forest feature importance
DNN	Deep neural network
DT	Decision tree
EmSHAP	Energy-based model for Shapley value estimation
FACE	Feasible and actionable counterfactual explanations
FAM	Frequency activation map
FDD	Fault detection and diagnosis
FedeX	Federated learning based explainable
FFNN	Feed forward neural network
FG-CAM	Frequency-domain-based gradient-weighted class activation map
FL	Federated learning
FLS	Fuzzy logic system
GAP	Global average pooling
GNN	Graph neural networks
GPR	Gaussian process regression
Grad-CAM	Gradient-weighted class activation mapping
GSX	Gumbel–Sigmoid explanator
IAP	Interpretable anomaly prediction
ICE	Individual conditional expectation
ICPS	Industrial cyber–physical system
IF	Isolation forest
IIoT	Industrial internet of things
InvM	Inventory management
IntGrad	Integrated gradient
IoT	Internet of things
ISG	Intrinsic subgraph generation
KBDBN	Knowledge-based deep belief network
KNN	K-nearest neighbors
LFCM	Learning fuzzy cognitive maps
LGBM	Light gradient-boosting machine
LIME	Local interpretable model-agnostic explanations
LRP	Layer-wise relevance propagation
LSTM	Long short-term memory
MCD	Minimum covariance determinant
ML	Machine learning
MMD	Maximum mean discrepancy
MP	Meaningful perturbation
MSE	Mean squared error
MV	Machine vision
NAM	Neural additive models
NN	Neural network
OCTET	Object-aware counterfactual explanations
PdM	Predictive maintenance
PDP	Partial dependence plot
PC	Process control
PD	Product development
ProtoPNet	Prototypical part network
PS	Prototype selection
QA	Quality assurance
QC	Quality control
RF	Random forest
RMSE	Root-mean-square error
RUL	Remaining useful life
SG	Saliency gradient
SHAP	Shapley additive explanations
SmoothGrad	Smoothing gradient
SMOTE	Synthetic minority oversampling method
SVERL	Shapley values for explaining reinforcement learning
SVM	Support vector machine
TCAV	Testing with concept activation vectors
WKN	Wavelet kernel net
XAI	Explainable artificial intelligence
XGB	Extreme gradient boosting

Ye, Q.; Xia, J.; Yang, G. Explainable AI for COVID-19 CT Classifiers: An Initial Comparison Study. In Proceedings of the 2021 IEEE 34th International Symposium on Computer-Based Medical Systems (CBMS), Aveiro, Portugal, 7–9 June 2021; pp. 521–526. [ Google Scholar ] [ CrossRef ]
Guidotti, R.; Monreale, A.; Turini, F.; Pedreschi, D.; Giannotti, F. A Survey of Methods for Explaining Black Box Models. ACM Comput. Surv. 2018 , 51 , 1–42. [ Google Scholar ] [ CrossRef ]
Gunning, D.; Aha, D. DARPA’s Explainable Artificial Intelligence (XAI) Program. AI Mag. 2019 , 40 , 44–58. [ Google Scholar ] [ CrossRef ]
Goodman, B.; Flaxman, S. European Union Regulations on Algorithmic Decision-Making and a “Right to Explanation”. AI Mag. 2017 , 38 , 50–57. [ Google Scholar ] [ CrossRef ]
Nor, A.K.M.; Pedapati, S.R.; Muhammad, M.; Leiva, V. Overview of Explainable Artificial Intelligence for Prognostic and Health Management of Industrial Assets Based on Preferred Reporting Items for Systematic Reviews and Meta-Analyses. Sensors 2021 , 21 , 8020. [ Google Scholar ] [ CrossRef ]
Doshi-Velez, F.; Kim, B. Towards A Rigorous Science of Interpretable Machine Learning. arXiv 2017 , arXiv:1702.08608. [ Google Scholar ]
Barredo Arrieta, A.; Díaz-Rodríguez, N.; Del Ser, J.; Bennetot, A.; Tabik, S.; Barbado, A.; Garcia, S.; Gil-Lopez, S.; Molina, D.; Benjamins, R.; et al. Explainable Artificial Intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI. Inf. Fusion 2020 , 58 , 82–115. [ Google Scholar ] [ CrossRef ]
Ribeiro, M.T.; Singh, S.; Guestrin, C. “Why Should I Trust You?”: Explaining the Predictions of Any Classifier. In Proceedings of the KDD ’16: The 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, USA, 13–17 August 2016. [ Google Scholar ]
El Shawi, R.; Sherif, Y.; Al-Mallah, M.; Sakr, S. Interpretability in HealthCare A Comparative Study of Local Machine Learning Interpretability Techniques. In Proceedings of the 2019 IEEE 32nd International Symposium on Computer-Based Medical Systems (CBMS), Cordoba, Spain, 5–7 June 2019; pp. 275–280. [ Google Scholar ] [ CrossRef ]
Speith, T. A Review of Taxonomies of Explainable Artificial Intelligence (XAI) Methods. In Proceedings of the FAccT ’22, 2022 ACM Conference on Fairness, Accountability, and Transparency, New York, NY, USA, 21–24 June 2022; pp. 2239–2250. [ Google Scholar ] [ CrossRef ]
Rong, Y.; Leemann, T.; trang Nguyen, T.; Fiedler, L.; Qian, P.; Unhelkar, V.; Seidel, T.; Kasneci, G.; Kasneci, E. Towards Human-centered Explainable AI: A Survey of User Studies for Model Explanations. arXiv 2023 , arXiv:cs.AI/2210.11584. [ Google Scholar ] [ CrossRef ]
Marcinkevičs, R.; Vogt, J.E. Interpretable and explainable machine learning: A methods-centric overview with concrete examples. WIREs Data Min. Knowl. Discov. 2023 , 13 , e1493. [ Google Scholar ] [ CrossRef ]
Sofianidis, G.; Rozanec, J.M.; Mladenic, D.; Kyriazis, D. A Review of Explainable Artificial Intelligence in Manufacturing. CoRR 2021 , 24 , 93–113. [ Google Scholar ]
Lundberg, S.; Lee, S.I. A Unified Approach to Interpreting Model Predictions. arXiv 2017 , arXiv:cs.AI/1705.07874. [ Google Scholar ]
Zhou, B.; Khosla, A.; Lapedriza, A.; Oliva, A.; Torralba, A. Learning Deep Features for Discriminative Localization. In Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, USA, 27–30 June 2016; pp. 2921–2929. [ Google Scholar ] [ CrossRef ]
Upasane, S.J.; Hagras, H.; Anisi, M.H.; Savill, S.; Taylor, I.; Manousakis, K. A Big Bang-Big Crunch Type-2 Fuzzy Logic System for Explainable Predictive Maintenance. In Proceedings of the 2021 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), Luxembourg, Luxembourg, 11–14 July 2021; pp. 1–8. [ Google Scholar ] [ CrossRef ]
Upasane, S.J.; Hagras, H.; Anisi, M.H.; Savill, S.; Taylor, I.; Manousakis, K. A Type-2 Fuzzy-Based Explainable AI System for Predictive Maintenance Within the Water Pumping Industry. IEEE Trans. Artif. Intell. 2024 , 5 , 490–504. [ Google Scholar ] [ CrossRef ]
Huong, T.T.; Bac, T.P.; Ha, K.N.; Hoang, N.V.; Hoang, N.X.; Hung, N.T.; Tran, K.P. Federated Learning-Based Explainable Anomaly Detection for Industrial Control Systems. IEEE Access 2022 , 10 , 53854–53872. [ Google Scholar ] [ CrossRef ]
Kong, B.O.; Kim, M.S.; Kim, B.H.; Lee, J.H. Prediction of Creep Life Using an Explainable Artificial Intelligence Technique and Alloy Design Based on the Genetic Algorithm in Creep-Strength-Enhanced Ferritic 9% Cr Steel. Met. Mater. Int. 2023 , 29 , 1334–1345. [ Google Scholar ] [ CrossRef ]
Khan, I.A.; Moustafa, N.; Pi, D.; Sallam, K.M.; Zomaya, A.Y.; Li, B. A New Explainable Deep Learning Framework for Cyber Threat Discovery in Industrial IoT Networks. IEEE Internet Things J. 2022 , 9 , 11604–11613. [ Google Scholar ] [ CrossRef ]
Dix, M.; Chouhan, A.; Ganguly, S.; Pradhan, S.; Saraswat, D.; Agrawal, S.; Prabhune, A. Anomaly detection in the time-series data of industrial plants using neural network architectures. In Proceedings of the 2021 IEEE Seventh International Conference on Big Data Computing Service and Applications (BigDataService), Oxford, UK, 23–26 August 2021; pp. 222–228. [ Google Scholar ] [ CrossRef ]
Sesana, M.; Cavallaro, S.; Calabresi, M.; Capaccioli, A.; Napoletano, L.; Antonello, V.; Grandi, F. Process and Product Quality Optimization with Explainable Artificial Intelligence. In Artificial Intelligence in Manufacturing ; Springer: Berlin/Heidelberg, Germany, 2024; pp. 459–477. [ Google Scholar ] [ CrossRef ]
Morita, K.; Davies, D.W.; Butler, K.T.; Walsh, A. Modeling the dielectric constants of crystals using machine learning. J. Chem. Phys. 2020 , 153 , 024503. [ Google Scholar ] [ CrossRef ] [ PubMed ]
Hajgató, G.; Wéber, R.; Szilágyi, B.; Tóthpál, B.; Gyires-Tóth, B.; Hős, C. PredMaX: Predictive maintenance with explainable deep convolutional autoencoders. Adv. Eng. Inform. 2022 , 54 , 101778. [ Google Scholar ] [ CrossRef ]
Li, T.; Zhao, Z.; Sun, C.; Cheng, L.; Chen, X.; Yan, R.; Gao, R.X. WaveletKernelNet: An Interpretable Deep Neural Network for Industrial Intelligent Diagnosis. IEEE Trans. Syst. Man Cybern. Syst. 2022 , 52 , 2302–2312. [ Google Scholar ] [ CrossRef ]
Sahakyan, M.; Aung, Z.; Rahwan, T. Explainable Artificial Intelligence for Tabular Data: A Survey. IEEE Access 2021 , 9 , 135392–135422. [ Google Scholar ] [ CrossRef ]
Bodria, F.; Giannotti, F.; Guidotti, R.; Naretto, F.; Pedreschi, D.; Rinzivillo, S. Benchmarking and Survey of Explanation Methods for Black Box Models. arxiv 2021 , arXiv:cs.AI/2102.13076. [ Google Scholar ] [ CrossRef ]
Gawde, S.; Patil, S.; Kumar, S.; Kamat, P.; Kotecha, K.; Alfarhood, S. Explainable Predictive Maintenance of Rotating Machines Using LIME, SHAP, PDP, ICE. IEEE Access 2024 , 12 , 29345–29361. [ Google Scholar ] [ CrossRef ]
Hasan, M.J.; Sohaib, M.; Kim, J.M. An Explainable AI-Based Fault Diagnosis Model for Bearings. Sensors 2021 , 21 , 4070. [ Google Scholar ] [ CrossRef ]
Dhaou, A.; Bertoncello, A.; Gourvénec, S.; Garnier, J.; Le Pennec, E. Causal and Interpretable Rules for Time Series Analysis. In Proceedings of the KDD ’21, 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining, New York, NY, USA, 14–18 August 2021; pp. 2764–2772. [ Google Scholar ] [ CrossRef ]
Jakubowski, J.; Stanisz, P.; Bobek, S.; Nalepa, G.J. Roll Wear Prediction in Strip Cold Rolling with Physics-Informed Autoencoder and Counterfactual Explanations. In Proceedings of the 2022 IEEE 9th International Conference on Data Science and Advanced Analytics (DSAA), Shenzhen, China, 13–16 October 2022; pp. 1–10. [ Google Scholar ] [ CrossRef ]
Ming, Y.; Xu, P.; Qu, H.; Ren, L. Interpretable and Steerable Sequence Learning via Prototypes. In Proceedings of the KDD ’19, 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, Anchorage, AK, USA, 4–8 August 2019; pp. 903–913. [ Google Scholar ] [ CrossRef ]
Tan, S.; Soloviev, M.; Hooker, G.; Wells, M.T. Tree Space Prototypes: Another Look at Making Tree Ensembles Interpretable. In Proceedings of the FODS ’20, 2020 ACM-IMS on Foundations of Data Science Conference, New York, NY, USA, 19–20 October 2020; pp. 23–34. [ Google Scholar ] [ CrossRef ]
Kim, M.S.; Yun, J.P.; Park, P. An Explainable Convolutional Neural Network for Fault Diagnosis in Linear Motion Guide. IEEE Trans. Ind. Inform. 2021 , 17 , 4036–4045. [ Google Scholar ] [ CrossRef ]
Chen, H.Y.; Lee, C.H. Vibration Signals Analysis by Explainable Artificial Intelligence (XAI) Approach: Application on Bearing Faults Diagnosis. IEEE Access 2020 , 8 , 134246–134256. [ Google Scholar ] [ CrossRef ]
Yeh, C.K.; Kim, B.; Arik, S.O.; Li, C.L.; Pfister, T.; Ravikumar, P. On Completeness-aware Concept-Based Explanations in Deep Neural Networks. arXiv 2022 , arXiv:cs.LG/1910.07969. [ Google Scholar ]
Guidotti, R.; Monreale, A.; Matwin, S.; Pedreschi, D. Explaining Image Classifiers Generating Exemplars and Counter-Exemplars from Latent Representations. Proc. AAAI Conf. Artif. Intell. 2020 , 34 , 13665–13668. [ Google Scholar ] [ CrossRef ]
Chen, C.; Li, O.; Tao, C.; Barnett, A.J.; Su, J.; Rudin, C. This looks like that: Deep learning for interpretable image recognition. In Proceedings of the 33rd International Conference on Neural Information Processing Systems, Red Hook, NY, USA, 8 December 2019; Curran Associates Inc.: Red Hook, NY, USA, 2019. [ Google Scholar ]
Mollas, I.; Bassiliades, N.; Tsoumakas, G. LioNets: Local Interpretation of Neural Networks Through Penultimate Layer Decoding. In Communications in Computer and Information Science ; Springer International Publishing: Berlin/Heidelberg, Germany, 2020; pp. 265–276. [ Google Scholar ] [ CrossRef ]
Hoover, B.; Strobelt, H.; Gehrmann, S. exBERT: A Visual Analysis Tool to Explore Learned Representations in Transformers Models. arXiv 2019 , arXiv:cs.CL/1910.05276. [ Google Scholar ]
Lampridis, O.; Guidotti, R.; Ruggieri, S. Explaining Sentiment Classification with Synthetic Exemplars and Counter-Exemplars. In Proceedings of the Discovery Science; Appice, A., Tsoumakas, G., Manolopoulos, Y., Matwin, S., Eds.; Springer: Cham, Switzerland, 2020; pp. 357–373. [ Google Scholar ]
Beechey, D.; Smith, T.M.S.; Özgür, Ş. Explaining Reinforcement Learning with Shapley Values. arXiv 2023 , arXiv:cs.LG/2306.05810. [ Google Scholar ]
Mothilal, R.K.; Sharma, A.; Tan, C. Explaining machine learning classifiers through diverse counterfactual explanations. In Proceedings of the ACM FAT ’20, 2020 Conference on Fairness, Accountability, and Transparency, Barcelona, Spain, 27–30 January 2020. [ Google Scholar ] [ CrossRef ]
Ribeiro, M.T.; Singh, S.; Guestrin, C. Anchors: High-precision model-agnostic explanations. In Proceedings of the AAAI’18/IAAI’18/EAAI’18, Thirty-Second AAAI Conference on Artificial Intelligence and Thirtieth Innovative Applications of Artificial Intelligence Conference and Eighth AAAI Symposium on Educational Advances in Artificial Intelligence, New Orleans, LA, USA, 2–7 February 2018; AAAI Press: Washington, DC, USA, 2018. [ Google Scholar ]
Kim, B.; Wattenberg, M.; Gilmer, J.; Cai, C.; Wexler, J.; Viegas, F.; Sayres, R. Interpretability Beyond Feature Attribution: Quantitative Testing with Concept Activation Vectors (TCAV). arXiv 2018 , arXiv:stat.ML/1711.11279. [ Google Scholar ]
Zhou, B.; Khosla, A.; Lapedriza, A.; Oliva, A.; Torralba, A. Learning Deep Features for Discriminative Localization. arXiv 2015 , arXiv:cs.CV/1512.04150. [ Google Scholar ]
Shrikumar, A.; Greenside, P.; Kundaje, A. Learning Important Features Through Propagating Activation Differences. arXiv 2019 , arXiv:cs.CV/1704.02685. [ Google Scholar ]
Lapuschkin, S.; Binder, A.; Montavon, G.; Klauschen, F.; Müller, K.R.; Samek, W. On Pixel-Wise Explanations for Non-Linear Classifier Decisions by Layer-Wise Relevance Propagation. PLoS ONE 2015 , 10 , e0130140. [ Google Scholar ] [ CrossRef ]
Zeiler, M.D.; Fergus, R. Visualizing and Understanding Convolutional Networks. arXiv 2013 , arXiv:cs.CV/1311.2901. [ Google Scholar ]
Selvaraju, R.R.; Cogswell, M.; Das, A.; Vedantam, R.; Parikh, D.; Batra, D. Grad-CAM: Visual Explanations from Deep Networks via Gradient-Based Localization. In Proceedings of the 2017 IEEE International Conference on Computer Vision (ICCV), Venice, Italy, 22–29 October 2017; pp. 618–626. [ Google Scholar ] [ CrossRef ]
Poyiadzi, R.; Sokol, K.; Santos-Rodriguez, R.; De Bie, T.; Flach, P. FACE: Feasible and Actionable Counterfactual Explanations. In Proceedings of the AAAI/ACM Conference on AI, Ethics, and Society, New York, NY, USA, 7–9 February 2020. [ Google Scholar ] [ CrossRef ]
Smilkov, D.; Thorat, N.; Kim, B.; Viégas, F.; Wattenberg, M. SmoothGrad: Removing noise by adding noise. arXiv 2017 , arXiv:cs.LG/1706.03825. [ Google Scholar ]
Chen, C.; Li, O.; Tao, C.; Barnett, A.J.; Su, J.; Rudin, C. This Looks Like That: Deep Learning for Interpretable Image Recognition. arXiv 2019 , arXiv:cs.LG/1806.10574. [ Google Scholar ]
Simonyan, K.; Vedaldi, A.; Zisserman, A. Deep Inside Convolutional Networks: Visualising Image Classification Models and Saliency Maps. arXiv 2014 , arXiv:cs.CV/1312.6034. [ Google Scholar ]
Sundararajan, M.; Taly, A.; Yan, Q. Axiomatic Attribution for Deep Networks. arXiv 2017 , arXiv:cs.LG/1703.01365. [ Google Scholar ]
Goldstein, A.; Kapelner, A.; Bleich, J.; Pitkin, E. Peeking Inside the Black Box: Visualizing Statistical Learning with Plots of Individual Conditional Expectation. arXiv 2014 , arXiv:stat.AP/1309.6392. [ Google Scholar ] [ CrossRef ]
Bien, J.; Tibshirani, R. Prototype selection for interpretable classification. Ann. Appl. Stat. 2011 , 5 , 2403–2424. [ Google Scholar ] [ CrossRef ]
Kim, B.; Khanna, R.; Koyejo, O.O. Examples are not enough, learn to criticize! Criticism for Interpretability. In Proceedings of the Advances in Neural Information Processing Systems ; Lee, D., Sugiyama, M., Luxburg, U., Guyon, I., Garnett, R., Eds.; Curran Associates, Inc.: Red Hook, NY, USA, 2016; Volume 29. [ Google Scholar ]
Fong, R.C.; Vedaldi, A. Interpretable Explanations of Black Boxes by Meaningful Perturbation. In Proceedings of the 2017 IEEE International Conference on Computer Vision (ICCV), Venice, Italy, 22–29 October 2017; IEEE: New York, NY, USA, 2017. [ Google Scholar ] [ CrossRef ]
Dhurandhar, A.; Chen, P.Y.; Luss, R.; Tu, C.C.; Ting, P.; Shanmugam, K.; Das, P. Explanations based on the Missing: Towards Contrastive Explanations with Pertinent Negatives. arXiv 2018 , arXiv:cs.AI/1802.07623. [ Google Scholar ]
Chattopadhay, A.; Sarkar, A.; Howlader, P.; Balasubramanian, V.N. Grad-CAM++: Generalized Gradient-Based Visual Explanations for Deep Convolutional Networks. In Proceedings of the 2018 IEEE Winter Conference on Applications of Computer Vision (WACV), Lake Tahoe, NV, USA, 12–15 March 2018; pp. 839–847. [ Google Scholar ] [ CrossRef ]
Ghorbani, A.; Wexler, J.; Zou, J.; Kim, B. Towards Automatic Concept-based Explanations. arXiv 2019 , arXiv:stat.ML/1902.03129. [ Google Scholar ]
Lundberg, S.M.; Erion, G.; Chen, H.; DeGrave, A.; Prutkin, J.M.; Nair, B.; Katz, R.; Himmelfarb, J.; Bansal, N.; Lee, S.I. Explainable AI for Trees: From Local Explanations to Global Understanding. arXiv 2019 , arXiv:cs.LG/1905.04610. [ Google Scholar ] [ CrossRef ]
Ying, R.; Bourgeois, D.; You, J.; Zitnik, M.; Leskovec, J. GNNExplainer: Generating Explanations for Graph Neural Networks. arXiv 2019 , arXiv:cs.LG/1903.03894. [ Google Scholar ]
Looveren, A.V.; Klaise, J. Interpretable Counterfactual Explanations Guided by Prototypes. arXiv 2020 , arXiv:cs.LG/1907.02584. [ Google Scholar ]
Huang, Q.; Yamada, M.; Tian, Y.; Singh, D.; Yin, D.; Chang, Y. GraphLIME: Local Interpretable Model Explanations for Graph Neural Networks. arXiv 2020 , arXiv:cs.LG/2001.06216. [ Google Scholar ] [ CrossRef ]
Wang, H.; Wang, Z.; Du, M.; Yang, F.; Zhang, Z.; Ding, S.; Mardziel, P.; Hu, X. Score-CAM: Score-Weighted Visual Explanations for Convolutional Neural Networks. arXiv 2020 , arXiv:cs.CV/1910.01279. [ Google Scholar ]
Frye, C.; Rowat, C.; Feige, I. Asymmetric Shapley values: Incorporating causal knowledge into model-agnostic explainability. arXiv 2021 , arXiv:stat.ML/1910.06358. [ Google Scholar ]
Agarwal, R.; Melnick, L.; Frosst, N.; Zhang, X.; Lengerich, B.; Caruana, R.; Hinton, G. Neural Additive Models: Interpretable Machine Learning with Neural Nets. arXiv 2021 , arXiv:cs.LG/2004.13912. [ Google Scholar ]
Nauta, M.; van Bree, R.; Seifert, C. Neural Prototype Trees for Interpretable Fine-grained Image Recognition. arXiv 2021 , arXiv:cs.CV/2012.02046. [ Google Scholar ]
Schnake, T.; Eberle, O.; Lederer, J.; Nakajima, S.; Schutt, K.T.; Muller, K.R.; Montavon, G. Higher-Order Explanations of Graph Neural Networks via Relevant Walks. IEEE Trans. Pattern Anal. Mach. Intell. 2022 , 44 , 7581–7596. [ Google Scholar ] [ CrossRef ]
Zemni, M.; Chen, M.; Éloi, Z.; Ben-Younes, H.; Pérez, P.; Cord, M. OCTET: Object-aware Counterfactual Explanations. arXiv 2023 , arXiv:cs.CV/2211.12380. [ Google Scholar ]
Lu, C.; Zeng, J.; Xia, Y.; Cai, J.; Luo, S. Energy-based Model for Accurate Shapley Value Estimation in Interpretable Deep Learning Predictive Modeling. arXiv 2024 , arXiv:cs.LG/2404.01078. [ Google Scholar ]
Tilli, P.; Vu, N.T. Intrinsic Subgraph Generation for Interpretable Graph based Visual Question Answering. arXiv 2024 , arXiv:cs.CL/2403.17647. [ Google Scholar ]
Zafar, M.R.; Khan, N.M. DLIME: A Deterministic Local Interpretable Model-Agnostic Explanations Approach for Computer-Aided Diagnosis Systems. arXiv 2019 , arXiv:cs.LG/1906.10263. [ Google Scholar ]
Shankaranarayana, S.M.; Runje, D. ALIME: Autoencoder Based Approach for Local Interpretability. arXiv 2019 , arXiv:cs.LG/1909.02437. [ Google Scholar ]
Bramhall, S.; Horn, H.E.; Tieu, M.; Lohia, N. QLIME-A Quadratic Local Interpretable Model-Agnostic Explanation Approach. SMU Data Sci. Rev. 2020 , 3 , 4. [ Google Scholar ]
Zhou, J.; Gandomi, A.H.; Chen, F.; Holzinger, A. Evaluating the Quality of Machine Learning Explanations: A Survey on Methods and Metrics. Electronics 2021 , 10 , 593. [ Google Scholar ] [ CrossRef ]
Nauta, M.; Trienes, J.; Pathak, S.; Nguyen, E.; Peters, M.; Schmitt, Y.; Schlötterer, J.; van Keulen, M.; Seifert, C. From Anecdotal Evidence to Quantitative Evaluation Methods: A Systematic Review on Evaluating Explainable AI. ACM Comput. Surv. 2023 , 55 , 1–42. [ Google Scholar ] [ CrossRef ]
Samek, W.; Montavon, G.; Vedaldi, A.; Hansen, L.K.; Müller, K.R. Explainable AI: Interpreting, Explaining and Visualizing Deep Learning ; Springer Nature: Cham, Switzerland, 2019; Volume 11700. [ Google Scholar ]
Razavi-Far, R.; Wan, D.; Saif, M.; Mozafari, N. To Tolerate or To Impute Missing Values in V2X Communications Data? IEEE Internet Things J. 2022 , 9 , 11442–11452. [ Google Scholar ] [ CrossRef ]
Hallaji, E.; Razavi-Far, R.; Saif, M. DLIN: Deep Ladder Imputation Network. IEEE Trans. Cybern. 2022 , 52 , 8629–8641. [ Google Scholar ] [ CrossRef ]
Ahmed, I.; Jeon, G.; Piccialli, F. From Artificial Intelligence to Explainable Artificial Intelligence in Industry 4.0: A Survey on What, How, and Where. IEEE Trans. Ind. Inform. 2022 , 18 , 5031–5042. [ Google Scholar ] [ CrossRef ]
Park, S.; Kayani, S.H.; Euh, K.; Seo, E.; Kim, H.; Park, S.; Yadav, B.N.; Park, S.J.; Sung, H.; Jung, I.D. High strength aluminum alloys design via explainable artificial intelligence. J. Alloys Compd. 2022 , 903 , 163828. [ Google Scholar ] [ CrossRef ]
Yan, F.; Song, K.; Liu, Y.; Chen, S.; Chen, J. Predictions and mechanism analyses of the fatigue strength of steel based on machine learning. J. Mater. Sci. 2020 , 55 , 15334–15349. [ Google Scholar ] [ CrossRef ]
Roy, I.; Feng, B.; Roychowdhury, S.; Ravi, S.K.; Umretiya, R.V.; Reynolds, C.; Ghosh, S.; Rebak, R.B.; Hoffman, A. Understanding oxidation of Fe-Cr-Al alloys through explainable artificial intelligence. MRS Commun. 2023 , 13 , 82–88. [ Google Scholar ] [ CrossRef ]
Ravi, S.K.; Roy, I.; Roychowdhury, S.; Feng, B.; Ghosh, S.; Reynolds, C.; Umretiya, R.V.; Rebak, R.B.; Hoffman, A.K. Elucidating precipitation in FeCrAl alloys through explainable AI: A case study. Comput. Mater. Sci. 2023 , 230 , 112440. [ Google Scholar ] [ CrossRef ]
Xiong, J.; Shi, S.Q.; Zhang, T.Y. Machine learning of phases and mechanical properties in complex concentrated alloys. J. Mater. Sci. Technol. 2021 , 87 , 133–142. [ Google Scholar ] [ CrossRef ]
Yang, C.; Ren, C.; Jia, Y.; Wang, G.; Li, M.; Lu, W. A machine learning-based alloy design system to facilitate the rational design of high entropy alloys with enhanced hardness. Acta Mater. 2022 , 222 , 117431. [ Google Scholar ] [ CrossRef ]
Jiménez-Luna, J.; Grisoni, F.; Schneider, G. Drug discovery with explainable artificial intelligence. Nat. Mach. Intell. 2020 , 2 , 573–584. [ Google Scholar ] [ CrossRef ]
Preuer, K.; Klambauer, G.; Rippmann, F.; Hochreiter, S.; Unterthiner, T. Interpretable Deep Learning in Drug Discovery ; Springer: Cham, Switzerland, 2019. [ Google Scholar ]
Baum, D.; Baum, K.; Gros, T.P.; Wolf, V. XAI Requirements in Smart Production Processes: A Case Study. In Proceedings of the Explainable Artificial Intelligence; Longo, L., Ed.; Springer: Cham, Switzerland, 2023; pp. 3–24. [ Google Scholar ]
Perez-Castanos, S.; Prieto-Roig, A.; Monzo, D.; Colomer-Barbera, J. Holistic Production Overview: Using XAI for Production Optimization. In Artificial Intelligence in Manufacturing: Enabling Intelligent, Flexible and Cost-Effective Production Through AI ; Springer Nature: Cham, Switzerland, 2024; pp. 423–436. [ Google Scholar ] [ CrossRef ]
Ji-Soo, H.; Yong-Min, H.; Seung-Yong, O.; Tae-Ho, K.; Hyeon-Jeong, L.; Sung-Woo, K. Injection Process Yield Improvement Methodology Based on eXplainable Artificial Intelligence (XAI) Algorithm. J. Korean Soc. Qual. Manag. 2023 , 51 , 55–65. [ Google Scholar ]
Lee, Y.; Roh, Y. An Expandable Yield Prediction Framework Using Explainable Artificial Intelligence for Semiconductor Manufacturing. Appl. Sci. 2023 , 13 , 2660. [ Google Scholar ] [ CrossRef ]
Kim, S.; Lee, K.; Noh, H.K.; Shin, Y.; Chang, K.B.; Jeong, J.; Baek, S.; Kang, M.; Cho, K.; Kim, D.W.; et al. Automatic Modeling of Logic Device Performance Based on Machine Learning and Explainable AI. In Proceedings of the 2020 International Conference on Simulation of Semiconductor Processes and Devices (SISPAD), Kobe, Japan, 23 September–6 October 2020; pp. 47–50. [ Google Scholar ] [ CrossRef ]
Zhai, W.; Shi, X.; Wong, Y.D.; Han, Q.; Chen, L. Explainable AutoML (xAutoML) with adaptive modeling for yield enhancement in semiconductor smart manufacturing. arXiv 2024 , arXiv:cs.CE/2403.12381. [ Google Scholar ]
Singh, N.; Adhikari, D. AI in Inventory Management: Applications, Challenges, and Opportunities. Int. J. Res. Appl. Sci. Eng. Technol. 2023 , 11 , 2049–2053. [ Google Scholar ] [ CrossRef ]
Qaffas, A.A.; Hajkacem, M.A.B.; Ncir, C.E.B.; Nasraoui, O. Interpretable Multi-Criteria ABC Analysis Based on Semi-Supervised Clustering and Explainable Artificial Intelligence. IEEE Access 2023 , 11 , 43778–43792. [ Google Scholar ] [ CrossRef ]
Ntakolia, C.; Kokkotis, C.; Karlsson, P.; Moustakidis, S. An Explainable Machine Learning Model for Material Backorder Prediction in Inventory Management. Sensors 2021 , 21 , 7926. [ Google Scholar ] [ CrossRef ] [ PubMed ]
Shajalal, M.; Boden, A.; Stevens, G. Explainable product backorder prediction exploiting CNN: Introducing explainable models in businesses. Electron. Mark. 2022 , 32 , 2107–2122. [ Google Scholar ] [ CrossRef ]
Razavi-Far, R.; Kinnaert, M. Incremental Design of a Decision System for Residual Evaluation: A Wind Turbine Application*. In IFAC Proceedings Volumes, Proceedings of the 8th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes, Mexico City, Mexico, 29–31 August 2012 ; Elsevier: Amsterdam, The Netherlands, 2012; Volume 45, pp. 343–348. [ Google Scholar ] [ CrossRef ]
Razavi-Far, R.; Zio, E.; Palade, V. Efficient residuals pre-processing for diagnosing multi-class faults in a doubly fed induction generator, under missing data scenarios. Expert Syst. Appl. 2014 , 41 , 6386–6399. [ Google Scholar ] [ CrossRef ]
Farajzadeh-Zanjani, M.; Razavi-Far, R.; Saif, M.; Rueda, L. Efficient feature extraction of vibration signals for diagnosing bearing defects in induction motors. In Proceedings of the 2016 International Joint Conference on Neural Networks (IJCNN), Vancouver, BC, Canada, 24–29 July 2016; pp. 4504–4511. [ Google Scholar ] [ CrossRef ]
Razavi-Far, R.; Kinnaert, M. A multiple observers and dynamic weighting ensembles scheme for diagnosing new class faults in wind turbines. Control Eng. Pract. 2013 , 21 , 1165–1177. [ Google Scholar ] [ CrossRef ]
Saeki, M.; Ogata, J.; Murakawa, M.; Ogawa, T. Visual explanation of neural network based rotation machinery anomaly detection system. In Proceedings of the 2019 IEEE International Conference on Prognostics and Health Management (ICPHM), San Francisco, CA, USA, 17–20 June 2019; pp. 1–4. [ Google Scholar ] [ CrossRef ]
Grezmak, J.; Zhang, J.; Wang, P.; Loparo, K.A.; Gao, R.X. Interpretable Convolutional Neural Network Through Layer-wise Relevance Propagation for Machine Fault Diagnosis. IEEE Sens. J. 2020 , 20 , 3172–3181. [ Google Scholar ] [ CrossRef ]
Kotriwala, A.; Klöpper, B.; Dix, M.; Gopalakrishnan, G.; Ziobro, D.; Potschka, A. XAI for Operations in the Process Industry - Applications, Theses, and Research Directions. In CEUR Workshop Proceedings, Proceedings of the AAAI 2021 Spring Symposium on Combining Machine Learning and Knowledge Engineering (AAAI-MAKE 2021), Palo Alto, CA, USA, 22–24 March 2021 ; Martin, A., Hinkelmann, K., Fill, H.G., Gerber, A., Lenat, D., Stolle, R., van Harmelen, F., Eds.; CEUR-WS.Org: Örebro, Sweden, 2021; Volume 2846. [ Google Scholar ]
Nor, K.; Pedapati, S.R.; Muhammad, M. Application of Explainable AI (Xai) For Anomaly Detection and Prognostic of Gas Turbines with Uncertainty Quantification. Preprints 2021 , 2021 , 2021090034. [ Google Scholar ] [ CrossRef ]
Brito, L.C.; Susto, G.A.; Brito, J.N.; Duarte, M.A. An explainable artificial intelligence approach for unsupervised fault detection and diagnosis in rotating machinery. Mech. Syst. Signal Process. 2022 , 163 , 108105. [ Google Scholar ] [ CrossRef ]
Grezmak, J.; Wang, P.; Sun, C.; Gao, R.X. Explainable Convolutional Neural Network for Gearbox Fault Diagnosis. In Procedia CIRP, Proceedings of the 26th CIRP Conference on Life Cycle Engineering (LCE) Purdue University, West Lafayette, IN, USA, 7–9 May 2019 ; Elsevier: Amsterdam, The Netherlands, 2019; Volume 80, pp. 476–481. [ Google Scholar ] [ CrossRef ]
Kim, M.S.; Yun, J.P.; Park, P. An Explainable Neural Network for Fault Diagnosis With a Frequency Activation Map. IEEE Access 2021 , 9 , 98962–98972. [ Google Scholar ] [ CrossRef ]
Srinivasan, S.; Arjunan, P.; Jin, B.; Sangiovanni-Vincentelli, A.L.; Sultan, Z.; Poolla, K. Explainable AI for Chiller Fault-Detection Systems: Gaining Human Trust. Computer 2021 , 54 , 60–68. [ Google Scholar ] [ CrossRef ]
Madhikermi, M.; Malhi, A.K.; Främling, K. Explainable Artificial Intelligence Based Heat Recycler Fault Detection in Air Handling Unit. In Proceedings of the Explainable, Transparent Autonomous Agents and Multi-Agent Systems; Calvaresi, D., Najjar, A., Schumacher, M., Främling, K., Eds.; Springer: Cham, Switzerland, 2019; pp. 110–125. [ Google Scholar ]
Hong, C.W.; Lee, C.; Lee, K.; Ko, M.S.; Hur, K. Explainable Artificial Intelligence for the Remaining Useful Life Prognosis of the Turbofan Engines. In Proceedings of the 2020 3rd IEEE International Conference on Knowledge Innovation and Invention (ICKII), Kaohsiung, Taiwan, 21–23 August 2020; pp. 144–147. [ Google Scholar ] [ CrossRef ]
Abid, F.B.; Sallem, M.; Braham, A. Robust Interpretable Deep Learning for Intelligent Fault Diagnosis of Induction Motors. IEEE Trans. Instrum. Meas. 2020 , 69 , 3506–3515. [ Google Scholar ] [ CrossRef ]
Sun, K.H.; Huh, H.; Tama, B.A.; Lee, S.Y.; Jung, J.H.; Lee, S. Vision-Based Fault Diagnostics Using Explainable Deep Learning With Class Activation Maps. IEEE Access 2020 , 8 , 129169–129179. [ Google Scholar ] [ CrossRef ]
Li, Y.F.; Liu, J. A Bayesian Network Approach for Imbalanced Fault Detection in High Speed Rail Systems. In Proceedings of the 2018 IEEE International Conference on Prognostics and Health Management (ICPHM), Seattle, WA, USA, 11–13 June 2018; pp. 1–7. [ Google Scholar ] [ CrossRef ]
Carletti, M.; Masiero, C.; Beghi, A.; Susto, G.A. Explainable Machine Learning in Industry 4.0: Evaluating Feature Importance in Anomaly Detection to Enable Root Cause Analysis. In Proceedings of the 2019 IEEE International Conference on Systems, Man and Cybernetics (SMC), Bari, Italy, 6–9 October 2019; pp. 21–26. [ Google Scholar ] [ CrossRef ]
Szelążek, M.; Bobek, S.; Gonzalez-Pardo, A.; Nalepa, G.J. Towards the Modeling of the Hot Rolling Industrial Process. Preliminary Results. In Proceedings of the Intelligent Data Engineering and Automated Learning—IDEAL 2020 ; Analide, C., Novais, P., Camacho, D., Yin, H., Eds.; Springer: Cham, Switzerland, 2020; pp. 385–396. [ Google Scholar ]
Serradilla, O.; Zugasti, E.; Cernuda, C.; Aranburu, A.; de Okariz, J.R.; Zurutuza, U. Interpreting Remaining Useful Life estimations combining Explainable Artificial Intelligence and domain knowledge in industrial machinery. In Proceedings of the 2020 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), Glasgow, UK, 19–24 July 2020; pp. 1–8. [ Google Scholar ] [ CrossRef ]
Wang, Y.; Wang, P. Explainable machine learning for motor fault diagnosis. In Proceedings of the 2023 IEEE International Instrumentation and Measurement Technology Conference (I2MTC), Kuala Lumpur, Malaysia, 22–25 May 2023; pp. 1–6. [ Google Scholar ] [ CrossRef ]
Gamal Al-Kaf, H.A.; Lee, K.B. Explainable Machine Learning Method for Open Fault Detection of NPC Inverter Using SHAP and LIME. In Proceedings of the 2023 IEEE Conference on Energy Conversion (CENCON), Kuching, Malaysia, 23–24 October 2023; pp. 14–19. [ Google Scholar ] [ CrossRef ]
Gummadi, A.; Napier, J.; Abdallah, M. XAI-IoT: An Explainable AI Framework for Enhancing Anomaly Detection in IoT Systems. IEEE Access 2024 , 12 , 71024–71054. [ Google Scholar ] [ CrossRef ]
Sinha, A.; Das, D. An explainable deep learning approach for detection and isolation of sensor and machine faults in predictive maintenance paradigm. Meas. Sci. Technol. 2023 , 35 , 015122. [ Google Scholar ] [ CrossRef ]
Zhou, D.; Yao, Q.; Wu, H.; Ma, S.; Zhang, H. Fault diagnosis of gas turbine based on partly interpretable convolutional neural networks. Energy 2020 , 200 , 117467. [ Google Scholar ] [ CrossRef ]
Oh, C.; Jeong, J. VODCA: Verification of Diagnosis Using CAM-Based Approach for Explainable Process Monitoring. Sensors 2020 , 20 , 6858. [ Google Scholar ] [ CrossRef ]
Kumar, P.; Hati, A.S. Deep convolutional neural network based on adaptive gradient optimizer for fault detection in SCIM. ISA Trans. 2021 , 111 , 350–359. [ Google Scholar ] [ CrossRef ]
Felsberger, L.; Apollonio, A.; Cartier-Michaud, T.; Müller, A.; Todd, B.; Kranzlmüller, D. Explainable Deep Learning for Fault Prognostics in Complex Systems: A Particle Accelerator Use-Case. In Proceedings of the Machine Learning and Knowledge Extraction ; Holzinger, A., Kieseberg, P., Tjoa, A.M., Weippl, E., Eds.; Springer: Cham, Switzerland, 2020; pp. 139–158. [ Google Scholar ]
Grezmak, J.; Zhang, J.; Wang, P.; Gao, R.X. Multi-stream convolutional neural network-based fault diagnosis for variable frequency drives in sustainable manufacturing systems. In Procedia Manufacturing, Proceedings of the Sustainable Manufacturing—Hand in Hand to Sustainability on Globe: Proceedings of the 17th Global Conference on Sustainable Manufacturing, Shanghai, China, 9–11 October 2020 ; Elsevier: Amsterdam, The Netherlands, 2020; Volume 43, pp. 511–518. [ Google Scholar ]
Lee, J.; Noh, I.; Lee, J.; Lee, S.W. Development of an Explainable Fault Diagnosis Framework Based on Sensor Data Imagification: A Case Study of the Robotic Spot-Welding Process. IEEE Trans. Ind. Inform. 2022 , 18 , 6895–6904. [ Google Scholar ] [ CrossRef ]
Yang, D.; Karimi, H.R.; Gelman, L. An explainable intelligence fault diagnosis framework for rotating machinery. Neurocomputing 2023 , 541 , 126257. [ Google Scholar ] [ CrossRef ]
Nie, X.; Xie, G. A novel normalized recurrent neural network for fault diagnosis with noisy labels. J. Intell. Manuf. 2021 , 32 , 1271–1288. [ Google Scholar ] [ CrossRef ]
Gribbestad, M.; Hassan, M.U.; Hameed, I.A.; Sundli, K. Health Monitoring of Air Compressors Using Reconstruction-Based Deep Learning for Anomaly Detection with Increased Transparency. Entropy 2021 , 23 , 83. [ Google Scholar ] [ CrossRef ] [ PubMed ]
Brusa, E.; Cibrario, L.; Delprete, C.; Di Maggio, L.G. Explainable AI for Machine Fault Diagnosis: Understanding Features’ Contribution in Machine Learning Models for Industrial Condition Monitoring. Appl. Sci. 2023 , 13 , 2038. [ Google Scholar ] [ CrossRef ]
Moosavi, S.; Razavi-Far, R.; Palade, V.; Saif, M. Explainable Artificial Intelligence Approach for Diagnosing Faults in an Induction Furnace. Electronics 2024 , 13 , 1721. [ Google Scholar ] [ CrossRef ]
Amarasinghe, K.; Kenney, K.; Manic, M. Toward Explainable Deep Neural Network Based Anomaly Detection. In Proceedings of the 2018 11th International Conference on Human System Interaction (HSI), Gdansk, Poland, 4–6 July 2018; pp. 311–317. [ Google Scholar ] [ CrossRef ]
Yu, J.; Liu, G. Knowledge extraction and insertion to deep belief network for gearbox fault diagnosis. Knowl.-Based Syst. 2020 , 197 , 105883. [ Google Scholar ] [ CrossRef ]
Keleko, A.T.; Kamsu-Foguem, B.; Ngouna, R.H.; Tongne, A. Health condition monitoring of a complex hydraulic system using Deep Neural Network and DeepSHAP explainable XAI. Adv. Eng. Softw. 2023 , 175 , 103339. [ Google Scholar ] [ CrossRef ]
Liu, Y.; Li, Z.; Chen, H. Artificial Intelligence-based Fault Detection and Diagnosis: Towards Application in a Chemical Process. In Proceedings of the 2023 CAA Symposium on Fault Detection, Supervision and Safety for Technical Processes (SAFEPROCESS), Yibin, China, 22–24 September 2023; pp. 1–6. [ Google Scholar ] [ CrossRef ]
Santos, M.R.; Guedes, A.; Sanchez-Gendriz, I. SHapley Additive exPlanations (SHAP) for Efficient Feature Selection in Rolling Bearing Fault Diagnosis. Mach. Learn. Knowl. Extr. 2024 , 6 , 316–341. [ Google Scholar ] [ CrossRef ]
Harinarayan, R.R.A.; Shalinie, S.M. XFDDC: Explainable Fault Detection Diagnosis and Correction framework for chemical process systems. Process Saf. Environ. Prot. 2022 , 165 , 463–474. [ Google Scholar ] [ CrossRef ]
Sinha, A.; Das, D. XAI-LCS: Explainable AI-Based Fault Diagnosis of Low-Cost Sensors. IEEE Sens. Lett. 2023 , 7 , 1–4. [ Google Scholar ] [ CrossRef ]
Meas, M.; Machlev, R.; Kose, A.; Tepljakov, A.; Loo, L.; Levron, Y.; Petlenkov, E.; Belikov, J. Explainability and Transparency of Classifiers for Air-Handling Unit Faults Using Explainable Artificial Intelligence (XAI). Sensors 2022 , 22 , 6338. [ Google Scholar ] [ CrossRef ]
Devkar, P.; Venkatarathnam, G. Enhancing Fault Detection and Diagnosis in AHU Using Explainable AI. In Sustainability in Energy and Buildings 2023 ; Littlewood, J.R., Jain, L., Howlett, R.J., Eds.; Springer Nature: Singapore, 2024; pp. 131–142. [ Google Scholar ] [ CrossRef ]
Hrnjica, B.; Softic, S. Explainable AI in Manufacturing: A Predictive Maintenance Case Study ; Springer: Cham, Switzerland, 2020; pp. 66–73. [ Google Scholar ] [ CrossRef ]
Paolanti, M.; Romeo, L.; Felicetti, A.; Mancini, A.; Frontoni, E.; Loncarski, J. Machine Learning approach for Predictive Maintenance in Industry 4.0. In Proceedings of the 2018 14th IEEE/ASME International Conference on Mechatronic and Embedded Systems and Applications (MESA), Oulu, Finland, 2–4 July 2018; pp. 1–6. [ Google Scholar ] [ CrossRef ]
Langone, R.; Cuzzocrea, A.; Skantzos, N. Interpretable Anomaly Prediction: Predicting anomalous behavior in industry 4.0 settings via regularized logistic regression tools. Data Knowl. Eng. 2020 , 130 , 101850. [ Google Scholar ] [ CrossRef ]
Cummins, L.; Sommers, A.; Ramezani, S.B.; Mittal, S.; Jabour, J.; Seale, M.; Rahimi, S. Explainable Predictive Maintenance: A Survey of Current Methods, Challenges and Opportunities. IEEE Access 2024 , 12 , 57574–57602. [ Google Scholar ] [ CrossRef ]
Tchakoua, P.; Wamkeue, R.; Hasnaoui, F.; Theubou Tameghe, T.A.; Ekemb, G. New trends and future challenges for wind turbines condition monitoring. In Proceedings of the 2013 International Conference on Control, Automation and Information Sciences (ICCAIS), Nha Trang, Vietnam, 25–28 November 2013; pp. 238–245. [ Google Scholar ] [ CrossRef ]
Matzka, S. Explainable Artificial Intelligence for Predictive Maintenance Applications. In Proceedings of the 2020 Third International Conference on Artificial Intelligence for Industries (AI4I), Irvine, CA, USA, 21–23 September 2020; pp. 69–74. [ Google Scholar ] [ CrossRef ]
Wu, H.; Huang, A.; Sutherland, J.W. Layer-wise relevance propagation for interpreting LSTM-RNN decisions in predictive maintenance. Int. J. Adv. Manuf. Technol. 2022 , 118 , 963–978. [ Google Scholar ] [ CrossRef ]
Mansouri, T.; Vadera, S. Explainable fault prediction using learning fuzzy cognitive maps. Expert Syst. 2023 , 40 , e13316. [ Google Scholar ] [ CrossRef ]
Mansouri, T.; Vadera, S. A Deep Explainable Model for Fault Prediction Using IoT Sensors. IEEE Access 2022 , 10 , 66933–66942. [ Google Scholar ] [ CrossRef ]
Christou, I.T.; Kefalakis, N.; Zalonis, A.; Soldatos, J. Predictive and Explainable Machine Learning for Industrial Internet of Things Applications. In Proceedings of the 2020 16th International Conference on Distributed Computing in Sensor Systems (DCOSS), Marina del Rey, CA, USA, 25–27 May 2020; pp. 213–218. [ Google Scholar ] [ CrossRef ]
Silva, R.L.; Rudek, M.; Szejka, A.L.; Junior, O.C. Machine Vision Systems for Industrial Quality Control Inspections. In Proceedings of the Product Lifecycle Management to Support Industry 4.0; Chiabert, P., Bouras, A., Noël, F., Ríos, J., Eds.; Springer: Cham, Switzerland, 2018; pp. 631–641. [ Google Scholar ]
Goldman, C.; Baltaxe, M.; Chakraborty, D.; Arinez, J. Explaining Learning Models in Manufacturing Processes. Procedia Comput. Sci. 2021 , 180 , 259–268. [ Google Scholar ] [ CrossRef ]
Lee, M.; Jeon, J.; Lee, H. Explainable AI for domain experts: A post Hoc analysis of deep learning for defect classification of TFT–LCD panels. J. Intell. Manuf. 2022 , 33 , 1747–1759. [ Google Scholar ] [ CrossRef ]
Senoner, J.; Netland, T.; Feuerriegel, S. Using Explainable Artificial Intelligence to Improve Process Quality: Evidence from Semiconductor Manufacturing. Manag. Sci. 2021 , 68 , 5557–6354. [ Google Scholar ] [ CrossRef ]
Kharal, A. Explainable Artificial Intelligence Based Fault Diagnosis and Insight Harvesting for Steel Plates Manufacturing. arXiv 2020 , arXiv:cs.AI/2008.04448. [ Google Scholar ]
Meister, S.; Wermes, M.; Stüve, J.; Groves, R. Investigations on Explainable Artificial Intelligence methods for the deep learning classification of fibre layup defect in the automated composite manufacturing. Compos. Part B Eng. 2021 , 224 , 109160. [ Google Scholar ] [ CrossRef ]
Lavasa, E.; Chadoulos, C.; Siouras, A.; Etxabarri Llana, A.; Rodríguez Del Rey, S.; Dalamagas, T.; Moustakidis, S. Toward Explainable Metrology 4.0: Utilizing Explainable AI to Predict the Pointwise Accuracy of Laser Scanning Devices in Industrial Manufacturing. In Artificial Intelligence in Manufacturing: Enabling Intelligent, Flexible and Cost-Effective Production Through AI ; Springer Nature: Cham, Switzerland, 2024; pp. 479–501. [ Google Scholar ] [ CrossRef ]
Hwang, C.; Lee, T. E-SFD: Explainable Sensor Fault Detection in the ICS Anomaly Detection System. IEEE Access 2021 , 9 , 140470–140486. [ Google Scholar ] [ CrossRef ]
Makridis, G.; Theodoropoulos, S.; Dardanis, D.; Makridis, I.; Separdani, M.M.; Fatouros, G.; Kyriazis, D.; Koulouris, P. XAI enhancing cyber defence against adversarial attacks in industrial applications. In Proceedings of the 2022 IEEE 5th International Conference on Image Processing Applications and Systems (IPAS), Genova, Italy, 5–7 December 2022; Volume 5, pp. 1–8. [ Google Scholar ] [ CrossRef ]
Bac, T.P.; Ha, D.T.; Tran, K.D.; Tran, K.P. Explainable Articial Intelligence for Cybersecurity in Smart Manufacturing. In Artificial Intelligence for Smart Manufacturing: Methods, Applications, and Challenges ; Tran, K.P., Ed.; Springer International Publishing: Cham, Switzerland, 2023; pp. 199–223. [ Google Scholar ] [ CrossRef ]
Sivamohan, S.; Sridhar, S.S. An optimized model for network intrusion detection systems in industry 4.0 using XAI based Bi-LSTM framework. Neural Comput. Appl. 2023 , 35 , 11459–11475. [ Google Scholar ] [ CrossRef ] [ PubMed ]
Kundu, R.K.; Hoque, K.A. Explainable Predictive Maintenance is Not Enough: Quantifying Trust in Remaining Useful Life Estimation. Annu. Conf. Phm Soc. 2023 , 15 . [ Google Scholar ] [ CrossRef ]
Klamert, V.; Schmid-Kietreiber, M.; Bublin, M. A deep learning approach for real time process monitoring and curling defect detection in Selective Laser Sintering by infrared thermography and convolutional neural networks. In Procedia CIRP, Proceedings of the 12th CIRP Conference on Photonic Technologies [LANE 2022], Furth, Germany, 4–8 September 2022 ; Elsevier: Amsterdam, The Netherlands, 2022; Volume 111, pp. 317–320. [ Google Scholar ] [ CrossRef ]
Hanchate, A.; Bukkapatnam, S.T.; Lee, K.H.; Srivastava, A.; Kumara, S. Explainable AI (XAI)-driven vibration sensing scheme for surface quality monitoring in a smart surface grinding process. J. Manuf. Processes 2023 , 99 , 184–194. [ Google Scholar ] [ CrossRef ]
Javaid, M.; Haleem, A.; Singh, R.P.; Suman, R.; Gonzalez, E.S. Understanding the adoption of Industry 4.0 technologies in improving environmental sustainability. Sustain. Oper. Comput. 2022 , 3 , 203–217. [ Google Scholar ] [ CrossRef ]
Yu, Z.; Gao, H.; Cong, X.; Wu, N.; Song, H.H. A Survey on Cyber–Physical Systems Security. IEEE Internet Things J. 2023 , 10 , 21670–21686. [ Google Scholar ] [ CrossRef ]
Alguliyev, R.; Imamverdiyev, Y.; Sukhostat, L. Cyber-physical systems and their security issues. Comput. Ind. 2018 , 100 , 212–223. [ Google Scholar ] [ CrossRef ]
Farajzadeh-Zanjani, M.; Hallaji, E.; Razavi-Far, R.; Saif, M. Generative-Adversarial Class-Imbalance Learning for Classifying Cyber-Attacks and Faults - A Cyber-Physical Power System. IEEE Trans. Dependable Secur. Comput. 2022 , 19 , 4068–4081. [ Google Scholar ] [ CrossRef ]
Farajzadeh-Zanjani, M.; Hallaji, E.; Razavi-Far, R.; Saif, M. Generative adversarial dimensionality reduction for diagnosing faults and attacks in cyber-physical systems. Neurocomputing 2021 , 440 , 101–110. [ Google Scholar ] [ CrossRef ]
Kim, S.; Park, K.J.; Lu, C. A Survey on Network Security for Cyber–Physical Systems: From Threats to Resilient Design. IEEE Commun. Surv. Tutor. 2022 , 24 , 1534–1573. [ Google Scholar ] [ CrossRef ]
Hoenig, A.; Roy, K.; Acquaah, Y.; Yi, S.; Desai, S. Explainable AI for Cyber-Physical Systems: Issues and Challenges. IEEE Access 2024 , 12 , 73113–73140. [ Google Scholar ] [ CrossRef ]
Le, D.; Vung, P.; Nguyen, H.; Dang, T. Visualization and Explainable Machine Learning for Efficient Manufacturing and System Operations. Smart Sustain. Manuf. Syst. 2019 , 3 , 20190029. [ Google Scholar ] [ CrossRef ]
Wang, M.; Zheng, K.; Yang, Y.; Wang, X. An Explainable Machine Learning Framework for Intrusion Detection Systems. IEEE Access 2020 , 8 , 73127–73141. [ Google Scholar ] [ CrossRef ]
Barnard, P.; Marchetti, N.; DaSilva, L.A. Robust Network Intrusion Detection Through Explainable Artificial Intelligence (XAI). IEEE Netw. Lett. 2022 , 4 , 167–171. [ Google Scholar ] [ CrossRef ]
Houda, Z.A.E.; Brik, B.; Khoukhi, L. “Why Should I Trust Your IDS?”: An Explainable Deep Learning Framework for Intrusion Detection Systems in Internet of Things Networks. IEEE Open J. Commun. Soc. 2022 , 3 , 1164–1176. [ Google Scholar ] [ CrossRef ]
Zebin, T.; Rezvy, S.; Luo, Y. An Explainable AI-Based Intrusion Detection System for DNS Over HTTPS (DoH) Attacks. IEEE Trans. Inf. Forensics Secur. 2022 , 17 , 2339–2349. [ Google Scholar ] [ CrossRef ]
Oseni, A.; Moustafa, N.; Creech, G.; Sohrabi, N.; Strelzoff, A.; Tari, Z.; Linkov, I. An Explainable Deep Learning Framework for Resilient Intrusion Detection in IoT-Enabled Transportation Networks. IEEE Trans. Intell. Transp. Syst. 2023 , 24 , 1000–1014. [ Google Scholar ] [ CrossRef ]
Gaspar, D.; Silva, P.; Silva, C. Explainable AI for Intrusion Detection Systems: LIME and SHAP Applicability on Multi-Layer Perceptron. IEEE Access 2024 , 12 , 30164–30175. [ Google Scholar ] [ CrossRef ]
Jeong, S.; Lee, S.; Lee, H.; Kim, H.K. X-CANIDS: Signal-Aware Explainable Intrusion Detection System for Controller Area Network-Based In-Vehicle Network. IEEE Trans. Veh. Technol. 2024 , 73 , 3230–3246. [ Google Scholar ] [ CrossRef ]
Arreche, O.; Guntur, T.R.; Roberts, J.W.; Abdallah, M. E-XAI: Evaluating Black-Box Explainable AI Frameworks for Network Intrusion Detection. IEEE Access 2024 , 12 , 23954–23988. [ Google Scholar ] [ CrossRef ]
Shtayat, M.M.; Hasan, M.K.; Sulaiman, R.; Islam, S.; Khan, A.U.R. An Explainable Ensemble Deep Learning Approach for Intrusion Detection in Industrial Internet of Things. IEEE Access 2023 , 11 , 115047–115061. [ Google Scholar ] [ CrossRef ]
Javeed, D.; Gao, T.; Kumar, P.; Jolfaei, A. An Explainable and Resilient Intrusion Detection System for Industry 5.0. IEEE Trans. Consum. Electron. 2024 , 70 , 1342–1350. [ Google Scholar ] [ CrossRef ]
Arisdakessian, S.; Wahab, O.A.; Mourad, A.; Otrok, H.; Guizani, M. A Survey on IoT Intrusion Detection: Federated Learning, Game Theory, Social Psychology, and Explainable AI as Future Directions. IEEE Internet Things J. 2023 , 10 , 4059–4092. [ Google Scholar ] [ CrossRef ]
Neupane, S.; Ables, J.; Anderson, W.; Mittal, S.; Rahimi, S.; Banicescu, I.; Seale, M. Explainable Intrusion Detection Systems (X-IDS): A Survey of Current Methods, Challenges, and Opportunities. IEEE Access 2022 , 10 , 112392–112415. [ Google Scholar ] [ CrossRef ]
Moustafa, N.; Koroniotis, N.; Keshk, M.; Zomaya, A.Y.; Tari, Z. Explainable Intrusion Detection for Cyber Defences in the Internet of Things: Opportunities and Solutions. IEEE Commun. Surv. Tutor. 2023 , 25 , 1775–1807. [ Google Scholar ] [ CrossRef ]
Chen, T.C.T. Explainable Artificial Intelligence (XAI) in Manufacturing. In Explainable Artificial Intelligence (XAI) in Manufacturing: Methodology, Tools, and Applications ; Springer International Publishing: Cham, Switzerland, 2023; pp. 1–11. [ Google Scholar ] [ CrossRef ]
Islam, M.R.; Ahmed, M.U.; Barua, S.; Begum, S. A Systematic Review of Explainable Artificial Intelligence in Terms of Different Application Domains and Tasks. Appl. Sci. 2022 , 12 , 1353. [ Google Scholar ] [ CrossRef ]

Models	XAI Methods	References
Bayesian Network	Intrinsic	[ ]
Fuzzy Logic System	Intrinsic	[ ]
Isolation Forest	SHAP, Local-DIFFI	[ , , ]
RF	SHAP, ELI5, LIME, CEM	[ , , , , ]
CNN	CAM, grad-CAM, FAM, SHAP, LRP	[ , , , , , , , , , , , , , , , ]
RNN	LRP	[ ]
LSTM	SHAP, MAE	[ , ]
Bi-LSTM	SHAP	[ ]
Bayesian DL	SHAP	[ ]
KNN	SHAP	[ , ]
ANN	LIME	[ , ]
DNN	SHAP, LIME, LRP, KBDBN, CEM	[ , , , , ]
SVM	SHAP, LIME, DIFFI, CEM	[ , , , , , ]
XGB	LIME, SHAP	[ , , , , , ]

Reference	Year	Use Case	Algorithm	Data Type	XAI Approach	XAI Output
[ ]	2020	PD	XGB and LGBM	Tabular	SHAP	Feature Importance
[ ]	2022	PD	Keras-based DNN	Chemical composition	LIME	Feature Importance
[ ]	2023	PD	NN	Tabular	SHAP	Feature Importance
[ ]	2023	PD	GPR	Tabular	SHAP	Feature Importance
[ ]	2020	PC	RF, XGB, Catboost	Tabular	SHAP	Feature Importance
[ ]	2023	PC	RF	Tabular	LIME	Feature Importance
[ ]	2023	PC	XGB and LGBM	Tabular	SHAP	Feature Importance
[ ]	2023	PC	RF	Tabular	SHAP	Feature Importance
[ ]	2021	InvM	RF, KNN, LGBM, XGB, BB, NN, LR, SVM	Tabular	SHAP	Feature Importance
[ ]	2022	InvM	CNN	Tabular	SHAP, LIME	Feature Importance
[ ]	2023	InvM	SS-E-k-means	Tabular	SHAP	Feature Importance
[ ]	2019	FDD	CNN	Vibration	grad-CAM	Visual Explanation
[ ]	2019	FDD	SVM and DNN	Temperature and Speed	LIME	Feature Importance
[ ]	2019	FDD	DCNN	Vibration	LRP	Visual Explanation
[ ]	2020	FDD	CNN	Vibration	grad-CAM	Visual Explanation
[ ]	2020	FDD	CNN	Vibration	LRP	Visual Explanation
[ ]	2020	FDD	CNN, LSTM, Bi-LSTM	Temperature, Pressure and Speed	SHAP	Feature Importance
[ ]	2020	FDD	deep-SincNet	Current	Intrinsic	Temporal and Spectral Presentation
[ ]	2020	FDD	CNN	Vibration	CAM	Visual Explanation
[ ]	2021	FDD	KNN, IF, etc.	Vibration	SHAP and Local-DIFFI	Feature Importance
[ ]	2021	FDD	KNN	Vibration	SHAP	Feature Importance
[ ]	2021	FDD	CNN	Vibration	grad-CAM	Visual Explanation
[ ]	2021	FDD	CNN	Vibration	FAM	Visual Explanation
[ ]	2021	FDD	DNN	Temperature, Pressure, Speed and Position	SHAP	Feature Importance
[ ]	2021	FDD	XGB	Temperature, Flow and Power	LIME	Feature Importance
[ ]	2021	FDD	WKN	Vibration	Intrinsic	Feature Map
[ ]	2022	FDD	XGB	Tabular	SHAP	Feature Importance
[ ]	2023	FDD	CNN-XGB	Vibration	SHAP	Feature Importance
[ ]	2018	CybSec	DNN	Tabular	LRP	Feature Importance
[ ]	2021	CybSec	Bi-LSTM	Tabular	SHAP	Feature Importance
[ ]	2021	CybSec	Conv-LSTM	Tabular	LIME	Feature Importance
[ ]	2022	CybSec	CNN	Image	grad-CAM, LIME	Visual Explanation
[ ]	2023	CybSec	LSTM	Tabular	SHAP	Feature Importance
[ ]	2023	CybSec	BiLSTM	Tabular	SHAP, LIME	Feature Importance
[ ]	2020	PdM	LGBM	Tabular	Intrinsic	Feature Importance
[ ]	2020	PdM	Regularized Logistic Regression	Temperature, Pressure, and Speed	Intrinsic	Feature Importance
[ ]	2021	PdM	FLS	Pressure and Current	Intrinsic	Rules
[ ]	2022	PdM	PCA + DCAE	Tabular	Intrinsic	Feature Importance
[ ]	2023	PdM	XGB, RF, LR, FFNN	Tabular	SHAP, LIME, Anchor	Rules, Feature Importance
[ ]	2024	PdM	FLS	Pressure, vibration, ultrasonic, and Current	Intrinsic	Rules
[ ]	2024	PdM	SVM, RF, DT, KNN	Vibration, current, and temperature	LIME, SHAP, PDP, ICE	Feature Importance
[ ]	2021	QA	CNN	Tabular	CAM	Visual Explanation
[ ]	2021	QA	CNN	Image	LRP and DT	Visualization and Rules
[ ]	2021	QA	Non-linear Meta Model	Tabular	SHAP	Feature Importance
[ ]	2020	QA	RF	Tabular	ARM	Rules
[ ]	2021	QA	CNN	Image	SHAP, Smooth IG, grad-CAM	Visual Explanation
[ ]	2022	QA	CNN	Image	grad-CAM	Visual Explanation
[ ]	2023	QA	CNN	Image	LIME	Feature Importance

The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

Moosavi, S.; Farajzadeh-Zanjani, M.; Razavi-Far, R.; Palade, V.; Saif, M. Explainable AI in Manufacturing and Industrial Cyber–Physical Systems: A Survey. Electronics 2024 , 13 , 3497. https://doi.org/10.3390/electronics13173497

Moosavi S, Farajzadeh-Zanjani M, Razavi-Far R, Palade V, Saif M. Explainable AI in Manufacturing and Industrial Cyber–Physical Systems: A Survey. Electronics . 2024; 13(17):3497. https://doi.org/10.3390/electronics13173497

Moosavi, Sajad, Maryam Farajzadeh-Zanjani, Roozbeh Razavi-Far, Vasile Palade, and Mehrdad Saif. 2024. "Explainable AI in Manufacturing and Industrial Cyber–Physical Systems: A Survey" Electronics 13, no. 17: 3497. https://doi.org/10.3390/electronics13173497

Article Metrics

Article access statistics, further information, mdpi initiatives, follow mdpi.

Subscribe to receive issue release notifications and newsletters from MDPI journals

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

JavaScript appears to be disabled on this computer. Please click here to see any active alerts .

Mitigate Flooding

Green infrastructure can mitigate flood risk by slowing and reducing stormwater runoff and protecting floodplains. As the climate changes, this type of mitigation becomes even more crucial for communities. Heavy precipitation events have increased in recent years and are expected to become more frequent and intense as global temperatures continue to rise. As a result, the risk of flooding is likely to increase in many areas across the United States .

Among the types of flooding expected to become more frequent are localized floods and riverine floods. Localized floods happen when rainfall overwhelms the capacity of drainage systems, while riverine floods happen when river flows exceed the capacity of the river channel. By the year 2100, more areas are projected to be at risk of flooding, and the annual damages from flooding are predicted to increase by $750 million. i , ii Communities with fewer resources to prepare for and recover from floods are disproportionately vulnerable to flood damage and other negative impacts. Visit EPA's Equitable Green Infrastructure page to learn more about implementing green infrastructure in communities with environmental justice concerns.

Explore the sections below to learn how green infrastructure mitigates the risk of localized and riverine floods and to find resources for state and local government officials working in the field of stormwater management.

On this page:

Using Green Infrastructure for Flood Mitigation

By improving stormwater and floodplain management, green infrastructure can build communities' resiliency to localized and riverine flooding. To learn about green infrastructure for coastal floods, visit the Protect Coasts page .

Model Impacts and Improve Infiltration to Mitigate Localized Flooding

In areas impacted by localized flooding, green infrastructure can help absorb rainfall—reducing the quantity of water pooling or flooding in streets—and reduce pollutants to improve water quality. Along with practices that temporarily store large volumes of stormwater (such as ponds or retention practices), green infrastructure can also help prevent stormwater from overwhelming pipe networks. Examples of green infrastructure that enhance infiltration (e.g., permeable pavements) and reduce flooding include rain retention (e.g., rain gardens, bioswales).

Communities susceptible to localized flooding can use models to learn more about the impact green infrastructure can have on managing their flood risk. Hydrologic and hydraulic modeling can help identify types of green and gray infrastructure that will meet flood reduction and water quality goals.

Case Study: The Capitol Region Watershed District in Ramsey County, Minnesota

The Capitol Region Watershed District in Ramsey County, Minnesota , selected different types of green infrastructure to address localized flooding and phosphorus loading. Selected types included:

Rain gardens
Underground infiltration trenches
An underground storage and infiltration system
A regional stormwater pond

As of 2010, the infiltration trenches reduced runoff volumes by 77 percent, the rain gardens reduced runoff volumes by 88 percent, the underground storage and infiltration system reduced runoff volumes by 100 percent, and the pond reduced runoff volumes by 5 percent. Installing green infrastructure—at an estimated cost of $2 million—was more cost-effective than installing an all-gray infrastructure alternative, estimated at $2.5 million for a new 60-inch diameter storm sewer pipe. See: Arlington Pascal Stormwater Project Brochure (pdf) and Arlington Pascal Best. Management Practices Performance and Cost-Benefit Analysis Project 2007-2010 (pdf)

Communities can also use EPA's publicly accessible National Stormwater Calculator to estimate the annual amount of rainwater and frequency of runoff from a specific site. This knowledge can help communities plan for green infrastructure and stormwater management.

Preserve Land to Mitigate Riverine Flooding

Communities susceptible to riverine flooding can more effectively manage their flood risk by combining green infrastructure with floodplain management. Conserving land in or around the floodplain can complement gray infrastructure by protecting the natural function of floodplains, thus reducing the volume of stormwater that flows into streams and rivers, as well as reducing the damage to infrastructure and property.

Geographic information system (GIS) and hydraulic modeling can help with the following:

Estimating the flood damage mitigation benefits of green infrastructure (e.g., the volume of stormwater that would be captured and infiltrated by green infrastructure).
Comparing the benefits to the cost of conservation.
Targeting investments in conservation toward the most cost-effective areas.

GIS can be used to identify areas that are flood-prone or cost-effective for conservation, and hydraulic modeling can quantify the amount of stormwater that can be managed by green infrastructure. EPA's National Stormwater Calculator allows users to analyze site hydrology, including future climate conditions, and estimate the cost of implementing green infrastructure. The Community-enabled Lifecycle Analysis of Stormwater Infrastructure Costs (CLASIC) tool is fully interfaced with GIS and allows users to analyze future precipitation rates and evaluate costs, reductions in runoff, and co-benefits of various stormwater management scenarios.

When preserving open space throughout a watershed, communities may want to target areas with water-absorbing soils in regions experiencing high growth. For example, the Milwaukee Metropolitan Sewerage District partnered with The Conservation Fund to protect land with those characteristics. As of 2022, the Greenseams program had protected roughly 5,000 acres of flood-prone land. iii Protecting that land reduced future flows and contaminants into receiving rivers, mitigating future flooding.

Environmental Justice Grants, Funding and Technical Assistance — This website summarizes several opportunities for grants, funding, and technical assistance all centered around environmental justice.
Building Resilient Infrastructure and Communities (BRIC) — This website details a funding opportunity for states, local communities, tribes, and territories through the Federal Emergency Management Agency (FEMA). If awarded it may be used for hazard mitigation projects to help with the associated risks of natural disasters such as wildfires, drought, hurricanes, earthquakes, extreme heat, and flooding.
Flood Mitigation Assistance Grant — This website details a funding opportunity for states, local communities, federally recognized tribes, and territories through FEMA. If awarded, it may be used for project scoping, technical assistance, community flood mitigation projects, individual structure- or property-level flood mitigation projects, and management costs.

Reports and Studies:

Flood Loss Avoidance Benefits of Green Infrastructure for Stormwater Management — This modeling study estimates the flood loss avoidance benefits from applying small storm retention practices for new development and redevelopment nationwide. Over time, using green stormwater infrastructure can save hundreds of millions of dollars in flood losses while just applying the practices to new development and redevelopment only. If retrofitting were to occur, the avoided losses would be even more significant.
Planning for Flood Recovery and Long-Term Resilience in Vermont: Smart Growth Approaches for Disaster-Resilient Communities (pdf) — This report describes strategies that communities can use to become more flood resilient, including conserving land in flood-prone areas, directing new development to safer areas, and using green infrastructure to manage stormwater.
Conley, G., R.I. McDonald, T. Nodine, T. Chapman, C. Holland, C. Hawkins, and N. Beck. (2021). Assessing the influence of urban greenness and green stormwater infrastructure on hydrology from satellite remote sensing . Science of the Total Environment, 817, 152723. Retrieved February 23, 2023.
Economic Assessment of Green Infrastructure Strategies for Climate Change Adaptation: Pilot Studies in the Great Lakes Region (pdf) — This National Oceanic and Atmospheric Administration study assesses stormwater management practices that can help communities reduce flooding by capturing, storing, or absorbing more water from precipitation events.
A Flood of Benefits – Using Green Infrastructure to Reduce Flood Risk — This study by the Nature Conservatory describes how green infrastructure can reduce flood risk and restore connections between rivers and flood plains while also providing other benefits associated with green infrastructure.
Green Stormwater Infrastructure for Urban Flood Resilience: Opportunity Analysis for Dallas, Texas. (pdf) — Using hydrologic modeling and spatial analysis, this study by The Nature Conservancy investigates effective enhancement of urban flood management in the city of Dallas, Texas. Key findings include cost-effective opportunities to deploy green stormwater infrastructure (GSI) for improved stormwater management, reduced modeled overflows by GSI, less costly GSI implementation compared to upgraded gray infrastructure, and other benefits to GSI.
Kousky, C., S.M. Olmstead, M.A. Walls, and M. Macauley. (2013). Strategically Placing Green Infrastructure: Cost-Effective Land Conservation in the Floodplain . Environmental Science and Technology, 47 (8), 3563. Retrieved May 5, 2023.
The Potential of Green Infrastructure in Mitigating Flood Impacts on the Mobility of Low Income and Minority Neighborhoods — This report from the National Institute for Transportation and Communities, led by Courtney Crosson of the University of Arizona, advances national research methods for assessing flood vulnerability and prioritizing transportation improvement investments to ensure that no community is left stranded when the next flood occurs.

Guides and Fact Sheets:

Why Connect with Your State Hazard Mitigation Office? (pdf) — EPA fact sheet on the benefits of, and opportunities for, integrating Watershed Plans with FEMA Hazard Mitigation Plans.
Reducing Damage from Localized Flooding: A Guide for Communities (pdf) ) — This guide was produced by FEMA to help U.S. cities, towns, villages, and counties reduce damage, disruption, and public and private costs caused by localized flooding within their jurisdictions.
Green Infrastructure Modeling Toolkit — EPA has developed innovative models, tools, and technologies for communities to manage water runoff in urban and other environments. The resources in this toolkit incorporate green or a combination of green and gray infrastructure to help communities manage their water resources in a more sustainable way, increasing resilience to future changes.
Rain Garden Reserve (pdf) — This webinar presentation from the city of Cuyahoga Falls, Ohio, demonstrates how using a series of rain gardens can mitigate localized flooding. The 24,000-square-foot park drains an approximately 3-acre residential area and enhances outdoor recreational opportunities for the community.
Localized Flood Management — This webinar focuses on chronic flooding in urban areas and addressing the flooding with green infrastructure solutions.
AECOM; Michael Baker Jr., Inc.; and Deloitte Consulting, LLP. (2013). The impact of climate change and population growth on the National Flood Insurance Program through 2100 . Retrieved July 1, 2014.
Wobus, C., M. Lawson, R. Jones, J. Smith, and J. Martinich. (2013). Estimating monetary damages from flooding in the United States under a changing climate. Journal of Flood Risk Management (pdf) . Retrieved July 1, 2014.
The Conservation Fund. (2022). Greenseams Milwaukee . Retrieved November 30, 2022.
Green Infrastructure Home
About Green Infrastructure
Green Infrastructure Planning, Design, & Implementation
Using Green Infrastructure to Address Clean Water Act Requirements
EPA Green Infrastructure Resources
Prepare for Drought
Reduce Heat Islands
Protect Coasts
Lower Building Energy Demands
Spend Less Energy Managing Water
Collaborate for Green Infrastructure

Comprehensive assessment of current municipal solid waste management in Chennai, India: a critical case study with real-time analysis

Original Paper
Published: 29 August 2024

Cite this article

R. Shiam Babu 1 ,
K. Prasanna 1 ,
P. Senthil Kumar 2 &
G. Rangasamy 3

Chennai city has implemented numerous strategies and plans to effectively manage the municipal solid waste by the municipal corporation. One of the prime strategy is the establishment of public–private partnership schemes, which play a crucial role in enhancing waste management practices. This case study focus to assess the conservancy operations carried out by multiple stakeholders in order to identify the strengths and areas for improvement in the waste management system. The study involved a range of strategies, including data collection, interviews, surveys, documentation, quantitative and thematic analysis, triangulation, and validation methods to ensure reliable outcomes. The findings reveal that 12.54% wet waste, 7.42% dry waste, and 0.07% hazardous waste are currently being segregated, while the majority of waste ends up in dumping grounds. Despite of private company’s involvement, waste management practices are not optimized due to inadequate infrastructure, improper placement of facilities, underutilized design capacities, complex routing mechanisms, and outdated waste management plans. To achieve operational excellence and minimize compliance deviations, it is imperative for public sectors to prioritize integration of technological infrastructure and establishing real time regulatory plans and frameworks. As an outcome, full potential of service can be harnessed leading to a more efficient and sustainable waste management system. At the outset, this study emphasizes the need for strategic interventions, improved infrastructure, revised waste management plans, and increased collaboration between public and private sectors to address existing challenges and enhance the waste management practices in Chennai city.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save.

Get 10 units per month
Download Article/Chapter or eBook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Price includes VAT (Russian Federation)

Instant access to the full article PDF.

Rent this article via DeepDyve

Institutional subscriptions

Municipal solid waste management in Ethiopia; the gaps and ways for improvement

Municipal Solid Waste Management in Cambodia

Assessment of Municipal Solid Waste Management in Jammu City: Problems, Prospects and Solutions

Explore related subjects.

Environmental Chemistry

Data availability

All the technical and analytical data generated during this study are included in this article.

Ansari M, Ehrampoush MH, Farzadkia M, Ahmadi E (2019) Dynamic assessment of economic and environmental performance index and generation, composition, environmental and human health risks of hospital solid waste in developing countries; a state of the art of review. Environ Int 132:105073

Article CAS Google Scholar

Bansal V, Jagadisan S, Sen J (2022) Water urbanism and multifunctional landscapes: case of Adyar River, Chennai, and Ganga River, Varanasi, India. In: Bhadouria R, Upadhyay S, Tripathi S, Singh P (eds) Ecology and global climate change. wiley, hoboken, pp 85–103

Chapter Google Scholar

Chennai Population (2023) Chennai urban region population 2011–2023. https://www.census2011.co.in/census/city/463-chennai.html . Accessed 16 Aug 2022

Dandabathula G, Bhardwaj P, Burra M, Rao PVP, Rao SS (2019) Impact assessment of India’s Swachh Bharat mission-clean India campaign on acute diarrheal disease outbreaks: yes, there is a positive change. J Fam Med Prim Care 8:1202–1208

Article Google Scholar

Devi NN, Sridharan B, Kuiry SN (2019) Impact of urban sprawl on future flooding in Chennai city, India. J Hydrol 574:486–496

Dutta D, Rahman A, Paul SK, Kundu A (2019) Changing pattern of urban landscape and its effect on land surface temperature in and around Delhi. Environ Monit Assess 191:1–15

Gandy M (2022) Chennai flyways: birds, biodiversity, and ecological decay. Environ Plan E 6:1–22

Google Scholar

Gopinath K, Seshachalam S, Neelavannan K, Anburaj V, Rachel M, Ravi S, Bharath M, Achyuthan H (2020) Quantification of microplastic in red hills lake of Chennai city, Tamil Nadu, India. Environ Sci Pollut Res 27:33297–33306

Hadidi LA, Omer MM (2017) A financial feasibility model of gasification and anaerobic digestion waste-to-energy (WTE) plants in Saudi Arabia. Waste Manag 59:90–101

Hoornweg D, Bhada-Tata P (2012) What a waste – a global review of solid waste management. World Bank, Washington, D.C.

Kaza S, Yao L, Bhada-Tata P, Van Woerden F (2018) What a waste 2.0: a global snapshot of solid waste management to 2050. World Bank, Washington, D.C.

Book Google Scholar

Kerdsuwan S, Laohalidanond K, Jangsawang W (2015) Sustainable development and eco-friendly waste disposal technology for the local community. In: Energy Procedia, 79, pp 119-124

Krishnamurthy R, Desouza KC (2015) Chennai, India. Cities 42:118–129

Krishnaveni M, Rajkumar VL (2016) Hydrologic design of rain water harvesting system at Anna University, Chennai. Int J Environ Sci 6:825–836

Kumar A, Agrawal A (2020) Recent trends in solid waste management status, challenges, and potential for the future Indian cities–a review. Curr Res Environ Sustain 2:100011

Kumar A, Samadder SR (2017) An empirical model for prediction of household solid waste generation rate–a case study of Dhanbad, India. Waste Manag 68:3–15

Lata K, Saha SK, Ramamurthy A, Chundeli FA (2021) Smart global megacity: Chennai sustainable development framework. In: Vinod Kumar T (ed) Smart global megacities: Chennai sustainable development framework. Springer, Singapore, pp 193–246

Maalouf A, Mavropoulos A (2023) Re-assessing global municipal solid waste generation. Waste Manag Res 41:936–947

Majid MA (2020) Renewable energy for sustainable development in India: current status, future prospects, challenges, employment, and investment opportunities. Energy Sustain Soc 10:1–36

Malav LC, Yadav KK, Gupta N, Kumar S, Sharma GK, Krishnan S, Rezania S, Kamyab H, Pham QB, Yadav S, Bhattacharyya S (2020) A review on municipal solid waste as a renewable source for waste-to-energy project in India: current practices, challenges, and future opportunities. J Clean Prod 277:123227

Manoharan SG, Ganapathy GP (2023) GIS based urban social vulnerability assessment for liquefaction susceptible areas: a case study for greater Chennai, India. Geoenviron Disasters 10:1

Mohan S, Joseph CP (2021) Potential hazards due to municipal solid waste open dumping in India. J Indian Inst Sci 101:523–536

Nanda S, Berruti F (2021) Municipal solid waste management and landfilling technologies: a review. Environ Chem Lett 19:1433–1456

Nazneen S, Madhav S, Priya A, Singh P (2022) Coastal ecosystems of india and their conservation and management policies: a review. In: Madhav S, Nazneen S, Singh P (eds) Coastal ecosystems. Springer, Cham, pp 1–21

Nepal M, Karki Nepal A, Khadayat MS, Rai RK, Shyamsundar P, Somanathan E (2023) Low-cost strategies to improve municipal solid waste management in developing countries: experimental evidence from Nepal. Environ Resour Econ 84:729–752

Pathak V, Deshkar S (2023) Transitions towards sustainable and resilient rural areas in revitalising India: a framework for localising SDGs at gram panchayat level. Sustainability 15:7536

Pathak DR, Mainali B, Abuel-Naga H, Angove M, Kong I (2020) Quantification and characterization of the municipal solid waste for sustainable waste management in newly formed municipalities of Nepal. Waste Manag Res 38:1007–1018

Popoola BM (2022) Biodegradable waste. In: Saleh HM, Hassan AI (eds) Recycling strategy and challenges associated with waste management towards sustaining the world. IntechOpen, London, pp 1–10

Praharaj S, Han JH, Hawken S (2018) Urban innovation through policy integration: critical perspectives from 100 smart cities mission in India. City Cult Soc 12:35–43

Priti, Mandal K (2019) Review on evolution of municipal solid waste management in India: practices, challenges and policy implications. J Mater Cycles Waste Manag 21:1263–1279

Rajamony K, Tripathy J (2021) Between Madras and Chennai: narratives of belonging in a post Colonial city. J Commonw Lit 58:1–15

Ray M, Mohapatra AC, Das S, Alam A, Ghosh B (2021) Environmental pollution and municipal solid waste management in India. Habitat Ecol Ekistics Case Stud Human Environ Interact India. https://doi.org/10.1007/978-3-030-49115-4_5

Robin RS, Karthik R, Nithin A, Purvaja R (2023) Removal of marine litter and its impact along the coast of India. Rec Zool Surv India 123:67–86

Saharan T, Pfeffer K, Baud I (2018) Shifting approaches to slums in Chennai: political coalitions, policy discourses and practices. Singap J Trop Geogr 39:454–471

Saxena S, Rajendran C, Sanjeevi V and Shahabudeen P (2021) Optimization of solid waste management in a metropolitan city. In: Material today: proceedings, 46: 8231-8238

Sengar B (2019) The cantonment town of Aurangabad: contextualizing christian missionary activities in the nineteenth century. Nidan Int J Ind Stud 4:1–18

Shareefdeen Z, Elkamel A (2022) Introduction to hazardous waste management and control. In: Shareefdeen Z (ed) Hazardous waste management. Springer, Cham, pp 1–26

Sharma SD (2022) India’s fight against the COVID-19 pandemic: lessons and the way forward. India Q 78:9–27

Siddiqua A, Hahladakis JN, Al-Attiya WAK (2022) An overview of the environmental pollution and health effects associated with waste landfilling and open dumping. Environ Sci Pollut Res 29:58514–58536

Trindade AB, Palacio JCE, González AM, Orozco DJR, Lora EES, Renó MLG, del Olmo OA (2018) Advanced exergy analysis and environmental assesment of the steam cycle of an incineration system of municipal solid waste with energy recovery. Energy Convers Manag 157:195–214

Velvizhi G, Shanthakumar S, Das B, Pugazhendhi A, Priya TS, Ashok B, Nanthagopal K, Vignesh R, Karthick C (2020) Biodegradable and non-biodegradable fraction of municipal solid waste for multifaceted applications through a closed loop integrated refinery platform: paving a path towards circular economy. Sci Total Environ 731:138049

Yıldız-Geyhan E, Yılan G, Altun-Çiftçioğlu GA, Kadırgan MAN (2019) Environmental and social life cycle sustainability assessment of different packaging waste collection systems. Resour Conserv Recycl 143:119–132

Download references

Acknowledgements

Authors would like to thank SRM Institute of Science and Technology, Chennai, India for providing the research facilities to carry out this research work in time.

No funds were received from any fund-providing organization for this research work.

Author information

Authors and affiliations.

Department of Civil Engineering, College of Engineering and Technology, SRM Institute of Science and Technology, Kattankulathur, Tamil Nadu, 603 203, India

R. Shiam Babu & K. Prasanna

Centre for Pollution Control and Environmental Engineering, School of Engineering and Technology, Pondicherry University, Kalapet, Puducherry, 605014, India

P. Senthil Kumar

Department of Civil Engineering, Faculty of Engineering, Karpagam Academy of Higher Education, Pollachi Main Road, Eachanari Post, Coimbatore, Tamil Nadu, 641021, India

G. Rangasamy

You can also search for this author in PubMed Google Scholar

Contributions

R. Shiam Babu: Conceptualization; Investigation; Methodology; Validation; Writing original draft. P. Senthil Kumar and K. Prasanna: Conceptualization; Investigation; Methodology; Supervision; Validation. Gayathri Rangasamy: Conceptualization; Data curation; Formal analysis; Visualization.

Corresponding author

Correspondence to P. Senthil Kumar .

Ethics declarations

Conflict of interest.

The authors proclaim that they have no conflict of interest.

Consent for publication

The final manuscript was accepted by all the authors and agreed to publication.

Additional information

Editorial responsibility: S. Mirkia.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Shiam Babu, R., Prasanna, K., Senthil Kumar, P. et al. Comprehensive assessment of current municipal solid waste management in Chennai, India: a critical case study with real-time analysis. Int. J. Environ. Sci. Technol. (2024). https://doi.org/10.1007/s13762-024-06009-5

Download citation

Received : 12 March 2024

Revised : 07 July 2024

Accepted : 19 August 2024

Published : 29 August 2024

DOI : https://doi.org/10.1007/s13762-024-06009-5

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Municipal solid waste
Chennai city
Conservancy operations
Centralized facilities
Decentralized facilities
Comprehensive assessment
Find a journal
Publish with us
Track your research

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber Services #protect2024 Secure Our World Shields Up Report A Cyber Issue

Vulnerability Summary for the Week of August 19, 2024

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

High : vulnerabilities with a CVSS base score of 7.0–10.0
Medium : vulnerabilities with a CVSS base score of 4.0–6.9
Low : vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.

High Vulnerabilities

Primary Vendor -- Product	Description	Published
Liquid Web--GiveWP	Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1.	2024-08-19
webdevmattcrom--GiveWP Donation Plugin and Fundraising Platform	The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.	2024-08-20
sjhoo--Woo Inquiry	The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 0.1 due to insufficient escaping on the user supplied parameter 'dbid' and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-08-21
Forcepoint--Web Security	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Web Security (Transaction Viewer) allows Stored XSS. The Forcepoint Web Security portal allows administrators to generate detailed reports on user requests made through the Web proxy. It has been determined that the "user agent" field in the Transaction Viewer is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability, which can be exploited by any user who can route traffic through the Forcepoint Web proxy. This vulnerability enables unauthorized attackers to execute JavaScript within the browser context of a Forcepoint administrator, thereby allowing them to perform actions on the administrator's behalf. Such a breach could lead to unauthorized access or modifications, posing a significant security risk. This issue affects Web Security: before 8.5.6.	2024-08-22
Joomla! Project--Joomla CMS	The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.	2024-08-20
LiteSpeed Technologies --LiteSpeed Cache	Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1.	2024-08-21
SolarWinds--Web Help Desk	The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.	2024-08-21
newlib_project -- newlib	An issue in newlib v.4.3.0 allows an attacker to execute arbitrary code via the time unit scaling in the _gettimeofday function.	2024-08-20
N/A -- N/A	A SQL Injection vulnerability exists in the Downtime component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.	2024-08-23
N/A -- N/A	A SQL Injection vulnerability exists in the Timeperiod component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.	2024-08-23
n/a--n/a	Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in code execution and escalation of privileges.	2024-08-20
typecho -- typecho	A stored cross-site scripting (XSS) vulnerability in Typecho v1.3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.	2024-08-20
N/A -- N/A	Swissphone DiCal-RED 4009 devices allow a remote attacker to gain access to the administrative web interface via the device password's hash value, without knowing the actual device password.	2024-08-22
N/A -- N/A	Swissphone DiCal-RED 4009 devices allow a remote attacker to gain a root shell via TELNET without authentication.	2024-08-22
Azure--Microsoft Managed Instance for Apache Cassandra	An improper access control vulnerability in the Azure Managed Instance for Apache Cassandra allows an authenticated attacker to elevate privileges over a network.	2024-08-20
squirrelly -- squirrelly	squirrellyjs squirrelly v9.0.0 and fixed in v.9.0.1 was discovered to contain a code injection vulnerability via the component options.varName.	2024-08-21
hargal -- hargal_windows_client	Hargal - CWE-284: Improper Access Control	2024-08-20
N/A -- N/A	Ezviz Internet PT Camera CS-CV246 D15655150 allows an unauthenticated host to access its live video stream by crafting a set of RTSP packets with a specific set of URLs that can be used to redirect the camera feed.	2024-08-23
n/a--n/a	Hotel Management System commit 91caab8 was discovered to contain a SQL injection vulnerability via the room_type parameter at admin_room_removed.php.	2024-08-20
n/a--n/a	Hotel Management System commit 91caab8 was discovered to contain a SQL injection vulnerability via the book_id parameter at admin_modify_room.php.	2024-08-20
n/a--n/a	An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password.	2024-08-20
n/a--n/a	Pharmacy Management System commit a2efc8 was discovered to contain a SQL injection vulnerability via the invoice_number parameter at preview.php.	2024-08-20
n/a--n/a	An arbitrary file upload vulnerability in ERP commit 44bd04 allows attackers to execute arbitrary code via uploading a crafted HTML file.	2024-08-20
n/a--n/a	ERP commit 44bd04 was discovered to contain a SQL injection vulnerability via the id parameter at /index.php/basedata/contact/delete?action=delete.	2024-08-20
arajajyothibabu -- school_management_system	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the password parameter at login.php	2024-08-20
arajajyothibabu -- school_management_system	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the sid parameter at /search.php?action=2.	2024-08-20
arajajyothibabu -- school_management_system	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the transport parameter at vehicle.php.	2024-08-20
n/a--n/a	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at paidclass.php.	2024-08-20
arajajyothibabu -- school_management_system	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at admininsert.php.	2024-08-20
n/a--n/a	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at insertattendance.php.	2024-08-20
arajajyothibabu -- school_management_system	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at unitmarks.php.	2024-08-20
arajajyothibabu -- school_management_system	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at dtmarks.php.	2024-08-20
arajajyothibabu -- school_management_system	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at attendance.php.	2024-08-20
arajajyothibabu -- school_management_system	School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at substaff.php.	2024-08-20
nepstech -- ntpl-xpon1gfevn_firmware	An issue in wishnet Nepstech Wifi Router NTPL-XPON1GFEVN v1.0 allows a remote attacker to obtain sensitive information via the cookie's parameter	2024-08-19
N/A -- N/A	Kashipara Bus Ticket Reservation System v1.0 is vulnerable to Cross Site Request Forgery (CSRF) via /deleteTicket.php.	2024-08-23
N/A -- N/A	A SQL injection vulnerability in "/login.php" of the Kashipara Bus Ticket Reservation System v1.0 allows remote attackers to execute arbitrary SQL commands and bypass Login via the "email" or "password" Login page parameters.	2024-08-23
N/A -- N/A	An Incorrect Access Control vulnerability was found in /admin/add_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to add the valid hotel room entries in the administrator section via the direct URL access.	2024-08-22
lopalopa -- music_management_system	An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=signup" of Kashipara Music Management System v1.0, which allows attackers to execute arbitrary code via uploading a crafted PHP file.	2024-08-21
lopalopa -- music_management_system	A SQL injection vulnerability in "/music/ajax.php?action=login" of Kashipara Music Management System v1.0 allows remote attackers to execute arbitrary SQL commands and bypass Login via the email parameter.	2024-08-21
lopalopa -- music_management_system	A SQL injection vulnerability in "/music/ajax.php?action=find_music" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "search" parameter.	2024-08-21
N/A -- N/A	A SQL injection vulnerability in "/music/controller.php?page=view_music" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "id" parameter.	2024-08-21
n/a--n/a	In TRENDnet TEW-752DRU FW1.03B01, there is a buffer overflow vulnerability due to the lack of length verification for the service field in gena.cgi. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands.	2024-08-19
n/a--n/a	In the TP-Link RE365 V1_180213, there is a buffer overflow vulnerability due to the lack of length verification for the USER_AGENT field in /usr/bin/httpd. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands.	2024-08-19
Apache Software Foundation--Apache DolphinScheduler	Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.	2024-08-20
azzaroco--Ultimate Membership Pro	Improper Privilege Management vulnerability in azzaroco Ultimate Membership Pro allows Privilege Escalation.This issue affects Ultimate Membership Pro: from n/a through 12.6.	2024-08-19
azzaroco--Ultimate Membership Pro	Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro allows Object Injection.This issue affects Ultimate Membership Pro: from n/a through 12.6.	2024-08-19
eyecix--JobSearch	Improper Privilege Management vulnerability in eyecix JobSearch allows Privilege Escalation.This issue affects JobSearch: from n/a through 2.3.4.	2024-08-19
Bit Apps--Bit Form Pro	Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form Pro allows Command Injection.This issue affects Bit Form Pro: from n/a through 2.6.4.	2024-08-19
Crew HRM--Crew HRM	Deserialization of Untrusted Data vulnerability in Crew HRM allows Object Injection.This issue affects Crew HRM: from n/a through 1.1.1.	2024-08-19
Hamed Naderfar--Compute Links	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar Compute Links allows PHP Remote File Inclusion.This issue affects Compute Links: from n/a through 1.2.1.	2024-08-19
Geek Code Lab--Login As Users	Improper Privilege Management vulnerability in Geek Code Lab Login As Users allows Privilege Escalation.This issue affects Login As Users: from n/a through 1.4.2.	2024-08-19
myCred--myCred	Deserialization of Untrusted Data vulnerability in myCred allows Object Injection.This issue affects myCred: from n/a through 2.7.2.	2024-08-19
opensecurity -- mobile_security_framework	Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Before 4.0.7, there is a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly implemented. Since the implemented measure can be bypassed, the vulnerability allows an attacker to extract files to any desired location within the server running MobSF. This vulnerability is fixed in 4.0.7.	2024-08-19
NicPWNs--MEGABOT	MEGABOT is a fully customized Discord bot for learning and fun. The `/math` command and functionality of MEGABOT versions < 1.5.0 contains a remote code execution vulnerability due to a Python `eval()`. The vulnerability allows an attacker to inject Python code into the `expression` parameter when using `/math` in any Discord channel. This vulnerability impacts any discord guild utilizing MEGABOT. This vulnerability was fixed in release version 1.5.0.	2024-08-20
frrouting -- frrouting	An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.	2024-08-19
microcks -- microcks	In Microcks before 1.10.0, the POST /api/import and POST /api/export endpoints allow non-administrator access.	2024-08-19
N/A -- N/A	The Mirai botnet through 2024-08-19 mishandles simultaneous TCP connections to the CNC (command and control) server. Unauthenticated sessions remain open, causing resource consumption. For example, an attacker can send a recognized username (such as root), or can send arbitrary data.	2024-08-22
N/A -- N/A	An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Due to improper input validation, improper deserialization, and improper restriction of operations within the bounds of a memory buffer, IDOL2 is vulnerable to Denial-of-Service (DoS) attacks and possibly remote code execution. There is an access violation and EIP overwrite after five logins.	2024-08-22
N/A -- N/A	An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Due to improper input validation, improper deserialization, and improper restriction of operations within the bounds of a memory buffer, IDOL2 is vulnerable to Denial-of-Service (DoS) attacks and possibly remote code execution. A certain XmlMessage document causes 100% CPU consumption.	2024-08-22
N/A -- N/A	An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is transferred over a raw socket without any authentication mechanism. Thus, communication endpoints are not verifiable.	2024-08-22
N/A -- N/A	An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Due to improper input validation, improper deserialization, and improper restriction of operations within the bounds of a memory buffer, IDOL2 is vulnerable to Denial-of-Service (DoS) attacks and possibly remote code execution via the \xB0\x00\x3c byte sequence.	2024-08-22
N/A -- N/A	An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. The AES implementation is vulnerable to cache-timing attacks due to use of S-boxes. This is related to software that uses a lookup table for the SubWord step. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.	2024-08-22
bdthemes--Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider	The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_compare_products cookie in versions up to , and including, 1.6.4. This makes it possible for an unauthenticated attacker to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker or above to delete arbitrary files, retrieve sensitive data, or execute code.	2024-08-21
Unknown--GEO my WP	The GEO my WP WordPress plugin before 4.5.0.2 does not prevent unauthenticated attackers from including arbitrary files in PHP's execution context, which leads to Remote Code Execution.	2024-08-19
WPML--WPML	The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.	2024-08-21
Unknown--Chatbot with ChatGPT WordPress	The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users when submitting messages to the chatbot.	2024-08-20
brandondove--Favicon Generator (CLOSED)	The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the output_sub_admin_page_0 function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The plugin author deleted the functionality of the plugin to patch this issue and close the plugin, we recommend seeking an alternative to this plugin.	2024-08-24
bitpressadmin--Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder	The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in multiple functions in versions 2.0 to 2.13.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).	2024-08-20
jielink\+_jsotc2016_project -- jielink\+_jsotc2016	A vulnerability, which was classified as critical, has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. This issue affects some unknown processing of the file /report/ParkChargeRecord/GetDataList. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
jielink\+_jsotc2016_project -- jielink\+_jsotc2016	A vulnerability, which was classified as problematic, was found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. Affected is an unknown function of the file /Report/ParkCommon/GetParkInThroughDeivces. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
jielink\+_jsotc2016_project -- jielink\+_jsotc2016	A vulnerability has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /report/ParkOutRecord/GetDataList. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
dell -- dns-120_firmware	A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function cgi_audio_search/cgi_create_playlist/cgi_get_album_all_tracks/cgi_get_alltracks_editlist/cgi_get_artist_all_album/cgi_get_genre_all_tracks/cgi_get_tracks_list/cgi_set_airplay_content/cgi_write_playlist of the file /cgi-bin/myMusic.cgi. The manipulation leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.	2024-08-19
project_expense_monitoring_system_project -- project_expense_monitoring_system	A vulnerability was found in itsourcecode Project Expense Monitoring System 1.0. It has been classified as critical. Affected is an unknown function of the file login1.php of the component Backend Login. The manipulation of the argument user leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
project_expense_monitoring_system_project -- project_expense_monitoring_system	A vulnerability was found in itsourcecode Project Expense Monitoring System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file execute.php. The manipulation of the argument code leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
project_expense_monitoring_system_project -- project_expense_monitoring_system	A vulnerability was found in itsourcecode Project Expense Monitoring System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file print.php. The manipulation of the argument map_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
adonesevangelista -- online_blood_bank_management_system	A vulnerability was found in itsourcecode Online Blood Bank Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file register.php of the component User Signup. The manipulation of the argument user leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
janobe -- point_of_sales_and_inventory_management_system	A vulnerability classified as critical has been found in SourceCodester Point of Sales and Inventory Management System 1.0. This affects an unknown part of the file login.php. The manipulation of the argument email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
SPIP--SPIP	The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.	2024-08-23
gotribe -- gotribe-admin	A vulnerability was found in Go-Tribe gotribe-admin 1.0 and classified as problematic. Affected by this issue is the function InitRoutes of the file internal/app/routes/routes.go of the component Log Handler. The manipulation leads to deserialization. The patch is identified as 45ac90d6d1f82716f77dbcdf8e7309c229080e3c. It is recommended to apply a patch to fix this issue.	2024-08-20
demozx -- gf_cms	A vulnerability was found in demozx gf_cms 1.0/1.0.1. It has been classified as critical. This affects the function init of the file internal/logic/auth/auth.go of the component JWT Authentication. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. The patch is named be702ada7cb6fdabc02689d90b38139c827458a5. It is recommended to upgrade the affected component.	2024-08-20
Cisco--Cisco Unifed Communications Manager	A vulnerability in the SIP call processing function of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper parsing of SIP messages. An attacker could exploit this vulnerability by sending a crafted SIP message to an affected Cisco Unified CM or Cisco Unified CM SME device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition that interrupts the communications of reliant voice and video devices.	2024-08-21
N/A -- N/A	cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an authenticated attacker to gain access to arbitrary files on the device's file system.	2024-08-22
Manage Engine--ADAudit Plus	Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option.	2024-08-23
Manage Engine--ADAudit Plus	Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36516), both of which have affected ADAudit Plus' dashboard.	2024-08-23
Manage Engine--ADAudit Plus	Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36515), both of which have affected ADAudit Plus' dashboard.	2024-08-23
Manage Engine--ADAudit Plus	Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module.	2024-08-23
Collabora Online--Online	Collabora Online is a collaborative online office suite based on LibreOffice. In affected versions of Collabora Online, https connections from coolwsd to other hosts may incompletely verify the remote host's certificate's against the full chain of trust. This vulnerability is fixed in Collabora Online 24.04.4.3, 23.05.14.1, and 22.05.23.1.	2024-08-23
Dell--Dell Power Manager	Dell Power Manager (DPM), versions 3.15.0 and prior, contains an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution and Elevation of privileges.	2024-08-22
projectcapsule -- capsule	Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace.	2024-08-20
N/A -- N/A	A SQL Injection vulnerability exists in the service configuration functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.	2024-08-23
mattermost -- mattermost	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console.	2024-08-22
Casdoor--Casdoor	Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user.	2024-08-20
usememos--memos	memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.	2024-08-20
Servision--Servision IVG Webmax 1.0.57	Servision - CWE-287: Improper Authentication	2024-08-20
Apache--Hertzbeat	Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.	2024-08-20
Zendesk--Samson	Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. The role parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parse_file method where it is unsafely deserialized using the YAML.load_stream method. This issue may lead to Remote Code Execution (RCE). This vulnerability is fixed in 3385.	2024-08-20
n/a--n/a	Hotel Management System commit 91caab8 was discovered to contain a SQL injection vulnerability via the book_id parameter at admin_room_history.php.	2024-08-20
n/a--n/a	A Cross-Site Request Forgery (CSRF) in the component admin_room_added.php of Hotel Management System commit 91caab8 allows attackers to escalate privileges.	2024-08-20
n/a--n/a	Hotel Management System commit 91caab8 was discovered to contain a SQL injection vulnerability via the room_type parameter at admin_room_added.php.	2024-08-20
n/a--n/a	A Cross-Site Request Forgery (CSRF) in the component admin_room_removed.php of Hotel Management System commit 91caab8 allows attackers to escalate privileges.	2024-08-20
n/a--n/a	Pharmacy Management System commit a2efc8 was discovered to contain a SQL injection vulnerability via the invoice_number parameter at sales_report.php.	2024-08-20
n/a--n/a	A Cross-Site Request Forgery (CSRF) in the component edit_categorie.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
siamonhasan -- warehouse_inventory_system	A Cross-Site Request Forgery (CSRF) in the component add_product.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
n/a--n/a	A Cross-Site Request Forgery (CSRF) in the component edit_product.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
siamonhasan -- warehouse_inventory_system	A Cross-Site Request Forgery (CSRF) in the component add_group.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
siamonhasan -- warehouse_inventory_system	A Cross-Site Request Forgery (CSRF) in the component edit_group.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
siamonhasan -- warehouse_inventory_system	A Cross-Site Request Forgery (CSRF) in the component delete_group.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
siamonhasan -- warehouse_inventory_system	A Cross-Site Request Forgery (CSRF) in the component delete_categorie.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
siamonhasan -- warehouse_inventory_system	A Cross-Site Request Forgery (CSRF) in the component delete_user.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
siamonhasan -- warehouse_inventory_system	A Cross-Site Request Forgery (CSRF) in the component delete_product.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
n/a--n/a	A Cross-Site Request Forgery (CSRF) in the component delete_media.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
n/a--n/a	A Cross-Site Request Forgery (CSRF) in the component categorie.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_backup.php?dobackup=clearall	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_group.php?mode=delete&group_id=3	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/edit_page.php?link_id=1	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_log.php?clear=1	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_backup.php?dobackup=database	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/submit_page.php.	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_backup.php?dobackup=avatars	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_backup.php?dobackup=files	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/admin_page.php?link_id=1&mode=delete	2024-08-20
N/A -- N/A	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/domain_management.php?whitelist_add	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_widgets.php?action=install&widget=akismet	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_widgets.php?action=remove&widget=Statistics	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_config.php?action=save&var_id=32	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /module.php?module=karma	2024-08-20
N/A -- N/A	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/domain_management.php?id=0&list=whitelist&remove=pligg.com	2024-08-20
pligg -- pligg_cms	Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_editor.php	2024-08-20
linksys -- e1500_firmware	A Command Injection vulnerability exists in the do_upgrade_post function of the httpd binary in Linksys E1500 v1.0.06.001. As a result, an authenticated attacker can execute OS commands with root privileges.	2024-08-19
lopalopa -- music_management_system	An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=save_playlist" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file.	2024-08-21
lopalopa -- music_management_system	An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=save_music" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file.	2024-08-21
lopalopa -- music_management_system	An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=save_genre" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file.	2024-08-21
N/A -- N/A	A SQL injection vulnerability in "/music/view_user.php" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "id" parameter of View User Profile Page.	2024-08-21
N/A -- N/A	A host header injection vulnerability in Staff Appraisal System v1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This will allow attackers to arbitrarily reset other users' passwords and compromise their accounts.	2024-08-23
N/A -- N/A	DrayTek Vigor 3900 before v1.5.1.5_Beta, DrayTek Vigor 2960 before v1.5.1.5_Beta and DrayTek Vigor 300B before v1.5.1.5_Beta were discovered to contain a command injection vulnerability via the action parameter at cgi-bin/mainfunction.cgi.	2024-08-21
N/A -- N/A	JPress through 5.1.1 on Windows has an arbitrary file upload vulnerability that could cause arbitrary code execution via ::$DATA to AttachmentController, such as a .jsp::$DATA file to io.jpress.web.commons.controller.AttachmentController#upload. NOTE: this is unrelated to the attack vector for CVE-2024-32358.	2024-08-22
Crocoblock--JetGridBuilder	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Crocoblock JetGridBuilder allows PHP Local File Inclusion.This issue affects JetGridBuilder: from n/a through 1.1.2.	2024-08-19
WP OnlineSupport, Essential Plugin--Timeline and History slider	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP OnlineSupport, Essential Plugin Timeline and History slider allows PHP Local File Inclusion.This issue affects Timeline and History slider: from n/a through 2.3.	2024-08-19
creativeon--WHMpress	Missing Authorization vulnerability in creativeon WHMpress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WHMpress: from n/a through 6.2-revision-5.	2024-08-19
Bit Apps--Bit Form Pro	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bit Apps Bit Form Pro allows File Manipulation.This issue affects Bit Form Pro: from n/a through 2.6.4.	2024-08-19
Themelocation--Woo Products Widgets For Elementor	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themelocation Woo Products Widgets For Elementor allows PHP Local File Inclusion.This issue affects Woo Products Widgets For Elementor: from n/a through 2.0.0.	2024-08-19
WPDeveloper--EmbedPress	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPDeveloper EmbedPress allows PHP Local File Inclusion.This issue affects EmbedPress: from n/a through 4.0.9.	2024-08-19
-- xwiki	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1.	2024-08-19
kanisterio--kanister	Kanister is a data protection workflow management tool. The kanister has a deployment called default-kanister-operator, which is bound with a ClusterRole called edit via ClusterRoleBinding. The "edit" ClusterRole is one of Kubernetes default-created ClusterRole, and it has the create/patch/udpate verbs of daemonset resources, create verb of serviceaccount/token resources, and impersonate verb of serviceaccounts resources. A malicious user can leverage access the worker node which has this component to make a cluster-level privilege escalation.	2024-08-20
lf-edge--ekuiper	LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.	2024-08-20
n/a--n/a	The T-Head XuanTie C910 CPU in the TH1520 SoC and the T-Head XuanTie C920 CPU in the SOPHON SG2042 have instructions that allow unprivileged attackers to write to arbitrary physical memory locations, aka GhostWrite.	2024-08-19
N/A -- N/A	D-Link DI_8004W 16.07.26A1 contains a command execution vulnerability in jhttpd msp_info_htm function.	2024-08-23
N/A -- N/A	D-Link DI_8004W 16.07.26A1 contains a command execution vulnerability in the jhttpd upgrade_filter_asp function.	2024-08-23
N/A -- N/A	Tenda FH1206 V1.2.0.8(8155)_EN contains a Buffer Overflow vulnerability via the function formWrlsafeset.	2024-08-23
Manage Engine--OpManager, Remote Monitoring and Management	Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.	2024-08-23
Manage Engine--ADAudit Plus	Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report.	2024-08-23
Manage Engine--ADAudit Plus	Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option.	2024-08-23
Manage Engine--ADAudit Plus	Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module.	2024-08-23
Manage Engine--ADAudit Plus	Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option.	2024-08-23
zen-cart -- zen_cart	Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the findPluginAdminPage function. The issue results from the lack of proper validation of user-supplied data prior to passing it to a PHP include function. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. Was ZDI-CAN-21408.	2024-08-21
Red Hat--Red Hat Open Container Platform 4	An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim's current application account using a third-party account without any restrictions.	2024-08-21
aukejomm--woocommerce google feed manager	The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wppfm_removeFeedFile' function in all versions up to, and including, 2.8.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).	2024-08-23
magnetforensics -- axiom	Magnet Forensics AXIOM Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Magnet Forensics AXIOM. User interaction is required to exploit this vulnerability in that the target must acquire data from a malicious mobile device. The specific flaw exists within the Android device image acquisition functionality. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-23964.	2024-08-21
File Manager--File Manager Pro	The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.	2024-08-23
logsign -- unified_secops_platform	Logsign Unified SecOps Platform Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the HTTP API service, which listens on TCP port 443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-25025.	2024-08-21
logsign -- unified_secops_platform	Logsign Unified SecOps Platform Directory data_export_delete_all Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the HTTP API service, which listens on TCP port 443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-25026.	2024-08-21
logsign -- unified_secops_platform	Logsign Unified SecOps Platform Directory Traversal Arbitrary Directory Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary directories on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the HTTP API service, which listens on TCP port 443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete directories in the context of root. Was ZDI-CAN-25028.	2024-08-21
levantoan--imagine hotspot by devvn	The Image Hotspot by DevVN plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.5 via deserialization of untrusted input in the 'devvn_ihotspot_shortcode_func' function. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-08-24
bitpressadmin--Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder	The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the iconRemove function in versions 2.0 to 2.13.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).	2024-08-20
autel -- maxicharger_ac_elite_business_c50_firmware	Autel MaxiCharger AC Elite Business C50 AppAuthenExchangeRandomNum Stack-Based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Business C50 EV chargers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the AppAuthenExchangeRandomNum BLE command. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23384.	2024-08-21
levelfourstorefront--Shopping Cart & eCommerce Store	The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to boolean-based SQL Injection via the 'model_number' parameter in all versions up to, and including, 5.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-08-20
oretnom23 -- clinic_patient_management_system	A vulnerability has been found in SourceCodester Clinics Patient Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /pms/ajax/get_packings.php. The manipulation of the argument medicine_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
tamparongj_03 -- online_graduate_tracer_system	A vulnerability was found in SourceCodester Online Graduate Tracer System 1.0 and classified as critical. This issue affects some unknown processing of the file /tracking/admin/view_csprofile.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
adonesevangelista -- laravel_property_management_system	A vulnerability was found in itsourcecode Laravel Property Management System 1.0. It has been classified as critical. Affected is the function UpdateDocumentsRequest of the file DocumentsController.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
tamparongj_03 -- online_graduate_tracer_system	A vulnerability, which was classified as critical, was found in SourceCodester Online Graduate Tracer System up to 1.0. Affected is an unknown function of the file /tracking/admin/fetch_genderit.php. The manipulation of the argument request leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
google -- chrome	Use after free in Passwords in Google Chrome on Android prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	2024-08-21
Google--Chrome	Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	2024-08-21
google -- chrome	Out of bounds memory access in Skia in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)	2024-08-21
Google--Chrome	Heap buffer overflow in Fonts in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	2024-08-21
google -- chrome	Use after free in Autofill in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who had convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	2024-08-21
google -- chrome	Type Confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	2024-08-21
Google--Chrome	Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	2024-08-21
Google--Chrome	Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)	2024-08-21
Google--Chrome	Heap buffer overflow in PDFium in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file. (Chromium security severity: Medium)	2024-08-21
google -- chrome	Insufficient data validation in V8 API in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)	2024-08-21
redhat -- openstack_platform	A flaw was found in the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack.	2024-08-21
TOTOLINK--AC1200 T8	A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228 and classified as critical. Affected by this issue is the function setDiagnosisCfg. The manipulation leads to buffer overflow. The attack may be launched remotely. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-08-22
TOTOLINK--AC1200 T8	A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228. It has been declared as critical. This vulnerability affects the function setTracerouteCfg. The manipulation leads to buffer overflow. The attack can be initiated remotely. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-08-22
TOTOLINK--AC1200 T8	A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228. It has been rated as critical. This issue affects the function exportOvpn. The manipulation leads to buffer overflow. The attack may be initiated remotely. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-08-22
microfocus -- netiq_privileged_access_manager	A vulnerability found in OpenText Privileged Access Manager that issues a token. on successful issuance of the token, a cookie gets set that allows unrestricted access to all the application resources. This issue affects Privileged Access Manager before 3.7.0.1.	2024-08-21
microfocus -- netiq_privileged_access_manager	SSH authenticated user when access the PAM server can execute an OS command to gain the full system access using bash. This issue affects Privileged Access Manager before 3.7.0.1.	2024-08-21
adegans--AdRotate Banner Manager The only ad manager you'll need	The AdRotate Banner Manager - The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.	2024-08-20
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Do not change route.addr.src_addr outside state checks If the state is not idle then resolve_prepare_src() should immediately fail and no change to global state should happen. However, it unconditionally overwrites the src_addr trying to build a temporary any address. For instance if the state is already RDMA_CM_LISTEN then this will corrupt the src_addr and would cause the test in cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev) Which would manifest as this trace from syzkaller: BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae This is indicating that an rdma_id_private was destroyed without doing cma_cancel_listens(). Instead of trying to re-use the src_addr memory to indirectly create an any address derived from the dst build one explicitly on the stack and bind to that as any other normal flow would do. rdma_bind_addr() will copy it over the src_addr once it knows the state is valid. This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change route.addr.src_addr.ss_family")	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: add spinlock for rndis response list There's no lock for rndis response list. It could cause list corruption if there're two different list_add at the same time like below. It's better to add in rndis_add_response / rndis_free_response / rndis_get_next_response to prevent any race condition on response list. [ 361.894299] [1: irq/191-dwc3:16979] list_add corruption. next->prev should be prev (ffffff80651764d0), but was ffffff883dc36f80. (next=ffffff80651764d0). [ 361.904380] [1: irq/191-dwc3:16979] Call trace: [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90 [ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0 [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84 [ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4 [ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60 [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0 [ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec [ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: iio: adc: tsc2046: fix memory corruption by preventing array overflow On one side we have indio_dev->num_channels includes all physical channels + timestamp channel. On other side we have an array allocated only for physical channels. So, fix memory corruption by ARRAY_SIZE() instead of num_channels variable. Note the first case is a cleanup rather than a fix as the software timestamp channel bit in active_scanmask is never set by the IIO core.	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: make apf token non-zero to fix bug In current async pagefault logic, when a page is ready, KVM relies on kvm_arch_can_dequeue_async_page_present() to determine whether to deliver a READY event to the Guest. This function test token value of struct kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a READY event is finished by Guest. If value is zero meaning that a READY event is done, so the KVM can deliver another. But the kvm_arch_setup_async_pf() may produce a valid token with zero value, which is confused with previous mention and may lead the loss of this READY event. This bug may cause task blocked forever in Guest: INFO: task stress:7532 blocked for more than 1254 seconds. Not tainted 5.10.0 #16 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:stress state:D stack: 0 pid: 7532 ppid: 1409 flags:0x00000080 Call Trace: __schedule+0x1e7/0x650 schedule+0x46/0xb0 kvm_async_pf_task_wait_schedule+0xad/0xe0 ? exit_to_user_mode_prepare+0x60/0x70 __kvm_handle_async_pf+0x4f/0xb0 ? asm_exc_page_fault+0x8/0x30 exc_page_fault+0x6f/0x110 ? asm_exc_page_fault+0x8/0x30 asm_exc_page_fault+0x1e/0x30 RIP: 0033:0x402d00 RSP: 002b:00007ffd31912500 EFLAGS: 00010206 RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0 RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0 RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086 R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000 R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000	2024-08-22
dell -- repository_manager	Dell Repository Manager version 3.4.2 and earlier, contain a Local Privilege Escalation Vulnerability in Installation module. A local low privileged attacker may potentially exploit this vulnerability leading to the execution of arbitrary executable on the operating system with high privileges using the existing vulnerability in operating system. Exploitation may lead to unavailability of the service.	2024-08-21
N/A -- N/A	Buffer Overflow vulnerability found in Kemptechnologies Loadmaster before v.7.2.60.0 allows a remote attacker to casue a denial of service via the libkemplink.so, isreverse library.	2024-08-21
apache -- seatunnel	Mysql security vulnerability in Apache SeaTunnel. Attackers can read files on the MySQL server by modifying the information in the MySQL URL allowLoadLocalInfile=true&allowUrlInLocalInfile=true&allowLoadLocalInfileInPath=/&maxAllowedPacket=655360 This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version [1.0.1], which fixes the issue.	2024-08-21
Joomla! Project--Joomla! CMS	Improper Access Controls allows backend users to overwrite their username when disallowed.	2024-08-20
google -- android	In sendDeviceState_1_6 of RadioExt.cpp, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.	2024-08-19
AMI--AptioV	The DXE module SmmComputrace contains a vulnerability that allows local attackers to leak stack or global memory. This could lead to privilege escalation, arbitrary code execution, and bypassing OS security mechanisms	2024-08-21
AMI--AptioV	This SMM vulnerability affects certain modules, allowing privileged attackers to execute arbitrary code, manipulate stack memory, and leak information from SMRAM to kernel space, potentially leading to denial-of-service attacks.	2024-08-21
keyfactor -- command	Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in information disclosure.	2024-08-20
N/A -- N/A	Swissphone DiCal-RED 4009 devices allow a remote attacker to gain read access to almost the whole file system via anonymous FTP.	2024-08-22
autodesk -- revit	A maliciously crafted DWG file, when parsed in Revit, can force a stack-based buffer overflow. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.	2024-08-21
Microsoft--Microsoft Edge Chromium-based	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	2024-08-22
Microsoft--Microsoft Edge Chromium-based	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	2024-08-22
Dell--SupportAssist for Home PCs	Dell SupportAssist for Home PCs Installer exe version 4.0.3 contains a privilege escalation vulnerability in the installer. A local low-privileged authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary executables on the operating system with elevated privileges.	2024-08-21
ibm -- sterling_connect_direct_web_services	IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.	2024-08-22
Avtec--Outpost 0810	Avtec Outpost stores sensitive information in an insecure location without proper access controls in place.	2024-08-22
Barix--Barix SIP Client Web Management Interface UI	Barix - CWE-200 Exposure of Sensitive Information to an Unauthorized Actor	2024-08-20
keyfactor -- aws_orchestrator	Keyfactor AWS Orchestrator through 2.0 allows Information Disclosure.	2024-08-20
Apache--Hertzbeat	Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.	2024-08-20
Avtec--Outpost 0810	Avtec Outpost uses a default cryptographic key that can be used to decrypt sensitive information.	2024-08-22
goauthentik--authenik	authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs/<uuid>/view_certificate/, /api/v3/crypto/certificatekeypairs/<uuid>/view_private_key/, and /api/v3/.../used_by/. Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue.	2024-08-22
N/A -- N/A	publiccms V4.0.202302.e and before is vulnerable to Any File Upload via publiccms/admin/cmsTemplate/saveMetaData	2024-08-23
n/a--n/a	ERP commit 44bd04 was discovered to contain a SQL injection vulnerability via the id parameter at /index.php/basedata/inventory/delete?action=delete.	2024-08-20
N/A -- N/A	DedeCMS V5.7.115 has a command execution vulnerability via file_manage_view.php?fmdo=newfile&activepath.	2024-08-23
nepstech -- ntpl-xpon1gfevn_firmware	An issue in wishnet Nepstech Wifi Router NTPL-XPON1GFEVN v1.0 allows a remote attacker to obtain sensitive information via the lack of encryption during login process	2024-08-19
N/A -- N/A	Kashipara Hotel Management System v1.0 is vulnerable to Unrestricted File Upload RCE via /admin/add_room_controller.php.	2024-08-22
N/A -- N/A	An Incorrect Access Control vulnerability was found in /admin/rooms.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to view valid hotel room entries in administrator section.	2024-08-22
N/A -- N/A	An Incorrect Access Control vulnerability was found in /admin/delete_room.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to delete valid hotel room entries in the administrator section.	2024-08-22
N/A -- N/A	Kashipara Hotel Management System v1.0 is vulnerable to Incorrect Access Control via /admin/users.php.	2024-08-22
N/A -- N/A	A SQL injection vulnerability in /music/index.php?page=view_playlist in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "id" parameter.	2024-08-21
N/A -- N/A	An issue in the downloader.php component of TOSEI online store management system v4.02, v4.03, and v4.04 allows attackers to execute a directory traversal.	2024-08-21
Bit Apps--Bit Form Pro	Incorrect Authorization vulnerability in Bit Apps Bit Form Pro bitformpro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bit Form Pro: from n/a through 2.6.4.	2024-08-19
nouthemes--Leopard - WordPress offload media	Missing Authorization vulnerability in nouthemes Leopard - WordPress offload media allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Leopard - WordPress offload media: from n/a through 2.0.36.	2024-08-19
PluginOps--Landing Page Builder	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in PluginOps Landing Page Builder allows PHP Local File Inclusion.This issue affects Landing Page Builder: from n/a through 1.5.2.0.	2024-08-19
floraison -- fugit	fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.	2024-08-19
Eugeny--Russh	Russh is a Rust SSH client & server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length. After parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1.	2024-08-21
Microsoft--Microsoft Entra	Improper access control in Decentralized Identity Services allows an unathenticated attacker to disable Verifiable ID's on another tenant.	2024-08-23
openedx--openedx-translations	This openedx-translations repository contains translation files from Open edX repositories to be kept in sync with Transifex. Before moving to pulling translations from the openedx-translations repository via openedx-atlas, translations in the edx-platform repository were validated using edx-i18n-tools. This validation included protection against malformed translations and translations-based script injections. Prior to this patch, the validation implemented in the openedx-translations repository did not include the same protections. The maintainer inspected the translations in the edx-platform directory of both the main and open-release/redwood.master branches of the openedx-translations repository and found no evidence of exploited translation strings.	2024-08-23
steveklabnik--request_store	RequestStore provides per-request global storage for Rack. The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of this being exploited are very low, given that the vast majority of users will have upgraded, and those that have not, if any, are not likely to be exposed.	2024-08-23
rust-bitcoin -- miniscript	The Miniscript (aka rust-miniscript) library before 12.2.0 for Rust allows stack consumption because it does not properly track tree depth.	2024-08-19
hex-rays -- ida_pro	ida64.dll in Hex-Rays IDA Pro through 8.4 crashes when there is a section that has many jumps linked, and the final jump corresponds to the payload from where the actual entry point will be invoked. NOTE: in many use cases, this is an inconvenience but not a security issue.	2024-08-19
N/A -- N/A	Tenda FH1206 V1.2.0.8(8155)_EN contains a Buffer Overflow vulnerability via the function fromSetIpBind.	2024-08-23
N/A -- N/A	Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server	2024-08-23
N/A -- N/A	An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. Cache-timing attacks can occur due to use of base64 when decoding group session keys. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.	2024-08-22
zephyrproject-rtos--Zephyr	BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero	2024-08-19
vipre -- advanced_security	VIPRE Advanced Security PMAgent Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Patch Management Agent. By creating a symbolic link, an attacker can abuse the agent to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22315.	2024-08-21
vipre -- advanced_security	VIPRE Advanced Security PMAgent Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Patch Management Agent. The issue results from loading a file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22316.	2024-08-21
vipre -- advanced_security	VIPRE Advanced Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Anti Malware Service. The issue results from incorrect permissions on a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22345.	2024-08-21
windscribe -- windscribe	Windscribe Directory Traversal Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Windscribe. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Windscribe Service. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23441.	2024-08-21
nissan-global -- blind_spot_protection_sensor_ecu_firmware	Predictable seed generation in the security access mechanism of UDS in the Blind Spot Protection Sensor ECU in Nissan Altima (2022) allows attackers to predict the requested seeds and bypass security controls via repeated ECU resets and seed requests.	2024-08-19
Unknown--AI Engine	AI Engine < 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. The AI Engine WordPress plugin before 2.5.1 fails to validate the file extension of "logs_path", allowing Administrators to change log filetypes from .log to .php.	2024-08-19
irfanview -- irfanview	IrfanView WSQ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of WSQ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24192.	2024-08-21
irfanview -- irfanview	IrfanView WSQ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of WSQ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23273.	2024-08-21
Schneider Electric--Accutech Manager	CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists that could cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP.	2024-08-20
Panasonic Holdings Corporation--Control FPWIN Pro	Stack-based buffer overflow in Control FPWIN Pro version 7.7.2.0 and all previous versions may allow attackers to execute arbitrary code via a specially crafted project file.	2024-08-21
liquidpoll -- LiquidPoll – Polls, Surveys, NPS and Feedback Reviews	The LiquidPoll - Polls, Surveys, NPS and Feedback Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_data' parameter in all versions up to, and including, 3.3.78 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-08-21
Autodesk--AutoCAD	A maliciously crafted DWF file, when parsed in AdDwfPdk.dll through Autodesk AutoCAD, can force an Out-of-Bounds Write. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.	2024-08-20
presstigers -- Simple Job Board	The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.12.3 via deserialization of untrusted input when editing job applications. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.	2024-08-24
acyba--acymailing	The AcyMailing - An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.	2024-08-22
python -- python	There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.	2024-08-19
logsign -- unified_secops_platform	Logsign Unified SecOps Platform Incorrect Authorization Authentication Bypass Vulnerability. This vulnerability allows local attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the HTTP API service, which listens on TCP port 443 by default. The issue results from the lack of proper validation of the user's license expiration date. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25029.	2024-08-21
bitpressadmin--Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder	The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to generic SQL Injection via the entryID parameter in versions 2.0 to 2.13.9 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries to already existing queries that can be used to extract sensitive information from the database.	2024-08-20
bitpressadmin--Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder	The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to generic SQL Injection via the id parameter in versions 2.0 to 2.13.9 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-08-20
redhat -- build_of_apache_camel_-_hawtio	A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.	2024-08-21
zzcms -- zzcms	A vulnerability was found in ZZCMS 2023. It has been declared as critical. This vulnerability affects unknown code of the file /I/list.php. The manipulation of the argument skin leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
zzcms -- zzcms	A vulnerability was found in ZZCMS 2023. It has been rated as problematic. This issue affects some unknown processing of the file 3/E_bak5.1/upload/eginfo.php. The manipulation of the argument phome with the input ShowPHPInfo leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
n/a--ZZCMS	A vulnerability classified as critical has been found in ZZCMS 2023. Affected is an unknown function of the file /admin/about_edit.php?action=modify. The manipulation of the argument skin leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
n/a--ZZCMS	A vulnerability classified as critical was found in ZZCMS 2023. Affected by this vulnerability is an unknown functionality of the file /admin/class.php?dowhat=modifyclass. The manipulation of the argument skin[] leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
google -- chrome	Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)	2024-08-21
Google -- Chrome	Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium)	2024-08-21
Google -- Chrome	Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium)	2024-08-21
mattermost -- mattermost	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.	2024-08-22
itsourcecode-- Payroll Management System	A vulnerability classified as critical was found in itsourcecode Payroll Management System 1.0. Affected by this vulnerability is an unknown functionality of the file login.php. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.	2024-08-22
SourceCodester -- E-Commerce System	A vulnerability has been found in SourceCodester E-Commerce System 1.0 and classified as critical. This vulnerability affects unknown code of the file /ecommerce/admin/login.php of the component Admin Login. The manipulation of the argument user_email leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-22
Python Software Foundation-- CPython	There is a HIGH severity vulnerability affecting the CPython "zipfile" module. When iterating over names of entries in a zip archive (for example, methods of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.	2024-08-22

Medium Vulnerabilities

Primary Vendor -- Product	Description	Published
microfocus -- netiq_self_service_password_reset	Improper Input Validation vulnerability in OpenText Self Service Password Reset allows Cross-Site Scripting (XSS). This issue affects Self Service Password Reset before 4.5.0.2 and 4.4.0.6	2024-08-21
IBM--App Connect Enterprise Certified Container	IBM App Connect Enterprise Certified Container 5.0, 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, and 12.1 does not limit calls to unshare in running Pods. This can allow a user with access to execute commands in a running Pod to elevate their user privileges.	2024-08-24
themebeez -- Orchid Store	The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This required WP_DEBUG to be enabled in order to be exploited.	2024-08-24
Cisco -- Cisco Identity Services Engine Software	Multiple vulnerabilities in the REST API of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct blind SQL injection attacks. These vulnerabilities are due to insufficient validation of user-supplied input in REST API calls. An attacker could exploit these vulnerabilities by sending crafted input to an affected device. A successful exploit could allow the attacker to view or modify data on the affected device.	2024-08-21
Cisco--Cisco Identity Services Engine	A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability is due to improper enforcement of administrative privilege levels for high-value sensitive data. An attacker with read-only Administrator privileges for the web-based management interface on an affected device could exploit this vulnerability by browsing to a page that contains sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system.	2024-08-21
Cisco--Cisco Identity Services Engine	A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the targeted user.	2024-08-21
Cisco--Cisco Unified Communications Manager	A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.	2024-08-21
risetheme--RT Easy Builder	The RT Easy Builder - Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-08-24
heytap -- internet_browser	The ColorOS Internet Browser com.heytap.browser application 45.10.3.4.1 for Android allows a remote attacker to execute arbitrary JavaScript code via the com.android.browser.RealBrowserActivity component.	2024-08-19
Ericsson--Packet Core Controller	Ericsson Packet Core Controller (PCC) contains a vulnerability in Access and Mobility Management Function (AMF) where improper input validation can lead to denial of service which may result in service degradation.	2024-08-20
ibm -- openpages_grc_platform	IBM OpenPages with Watson 8.3 and 9.0 could allow authenticated users access to sensitive information through improper authorization controls on APIs.	2024-08-22
n/a--n/a	Typecho v1.3.0 was discovered to contain a race condition vulnerability in the post commenting function. This vulnerability allows attackers to post several comments before the spam protection checks if the comments are posted too frequently.	2024-08-19
N/A -- N/A	An issue was discovered on Swissphone DiCal-RED 4009 devices. An attacker with access to the file /etc/deviceconfig may recover the administrative device password via password-cracking methods, because unsalted MD5 is used.	2024-08-22
Microsoft--Microsoft Edge	Microsoft Edge (HTML-based) Memory Corruption Vulnerability	2024-08-23
Microsoft--Microsoft Edge	Microsoft Edge for Android Spoofing Vulnerability	2024-08-22
Spring--springboot	Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.	2024-08-23
spring--spring security	Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.	2024-08-20
Manage Engine--Service Engine Desk Plus	An Stored Cross-site Scripting vulnerability affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.	2024-08-23
mattermost -- mattermost	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.	2024-08-22
Manage Engine--Service Engine Desk Plus	An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.	2024-08-23
casdoor--casdoor	Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and redirects the user to that url after a successful purchase. Because the user has no reason to think that the payment page contains sensitive information, they may share it with other or can be social engineered into sending it to others. An attacker can then craft the casdoor link with a special url and send it back to the user, and once payment has gone though an XSS attack occurs.	2024-08-20
okfn -- ckan	CKAN is an open-source data management system for powering data hubs and data portals. The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector. Sites running CKAN >= 2.7.0 with the datatables_view plugin activated. This is a plugin included in CKAN core, that not activated by default but it is widely used to preview tabular data. This vulnerability has been fixed in CKAN 2.10.5 and 2.11.0.	2024-08-21
Priority--Priority	Priority - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	2024-08-20
IBM--Global Configuration Management	IBM Global Configuration Management 7.0.2 and 7.0.3 could allow an authenticated user to archive a global baseline due to improper access controls.	2024-08-20
apache -- airflow	Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.	2024-08-21
gethomepage--homepage	Homepage is a highly customizable homepage with Docker and service API integrations. The default setup of homepage 0.9.1 is vulnerable to DNS rebinding. Homepage is setup without certificate and authentication by default, leaving it to vulnerable to DNS rebinding. In this attack, an attacker will ask a user to visit his/her website. The attacker website will then change the DNS records of their domain from their IP address to the internal IP address of the homepage instance. To tell which IP addresses are valid, we can rebind a subdomain to each IP address we want to check, and see if there is a response. Once potential candidates have been found, the attacker can launch the attack by reading the response of the webserver after the IP address has changed. When the attacker domain is fetched, the response will be from the homepage instance, not the attacker website, because the IP address has been changed. Due to a lack of authentication, a user's private information such as API keys (fixed after first report) and other private information can then be extracted by the attacker website.	2024-08-23
mattermost--mattermost	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.	2024-08-22
n/a--n/a	A cross-site scripting (XSS) vulnerability in the component update_page_details.php of Blood Bank And Donation Management System commit dc9e039 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Details parameter.	2024-08-20
N/A -- N/A	SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admin_editplayer.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges.	2024-08-20
N/A -- N/A	A Stored Cross Site Scripting (XSS) vulnerability was found in "/admin_schedule.php" in Kashipara Bus Ticket Reservation System v1.0, which allows remote attackers to execute arbitrary code via scheduleDurationPHP parameter.	2024-08-22
N/A -- N/A	A Cross-Site Request Forgery (CSRF) vulnerability was found in Kashipara Hotel Management System v1.0 via /admin/delete_room.php.	2024-08-22
N/A -- N/A	A Reflected Cross Site Scripting (XSS) vulnerability was found in "/core/signup_user.php " of Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "user_fname" and "user_lname" parameters.	2024-08-22
N/A -- N/A	Cross Site Scripting vulnerability in AcuToWeb server v.10.5.0.7577C8b allows a remote attacker to execute arbitrary code via the index.php component.	2024-08-23
okfn -- ckan	CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery). Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: (1) Use a separate HTTP proxy like Squid that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the ckan.download_proxy config option. (2) Implement custom firewall rules to prevent access to restricted resources. (3) Use custom validators on the resource url field to block/allow certain domains or IPs. All latest versions of the plugins listed above support the ckan.download_proxy settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0.	2024-08-21
ckeditor -- ckeditor	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.	2024-08-21
discourse--discourse placeholder theme component	Discourse Placeholder Forms will let you build dynamic documentation. Unsanitized and stored user input was injected in the html of the post. The vulnerability is fixed in commit a62f711d5600e4e5d86f342d52932cb6221672e7.	2024-08-20
TryGhost--Ghost	Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.	2024-08-20
opensearch project--security dashboards plugin	OpenSearch Dashboards Security Plugin adds a configuration management UI for the OpenSearch Security features to OpenSearch Dashboards. Improper validation of the nextUrl parameter can lead to external redirect on login to OpenSearch-Dashboards for specially crafted parameters. A patch is available in 1.3.19 and 2.16.0 for this issue.	2024-08-23
N/A -- N/A	Tenda FH1206 V1.2.0.8(8155)_EN contains a Buffer Overflow vulnerability via the functino formWrlExtraGet.	2024-08-23
N/A -- N/A	Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "File Content" request	2024-08-23
N/A -- N/A	Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Git Content" request	2024-08-23
N/A -- N/A	Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Pipeline Interaction" request	2024-08-23
piotnetdotcom--Piotnet Addons For Elementor	The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Accordion, Dual Heading, and Vertical Timeline widgets in all versions up to, and including, 2.4.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-08-23
themeum--Tutor LMS Elementor Addons	The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'course_carousel_skin' attribute within the plugin's Course Carousel widget in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-08-20
posimyththemes--The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce	The The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the carousel_direction parameter of testimonials widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-08-22
posimyththemes--The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce	The The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the video_date attribute within the plugin's Video widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-08-20
webdevmattcrom--GiveWP Donation Plugin and Fundraising Platform	The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled.	2024-08-20
averta--phloxpro	The Phlox PRO theme for WordPress is vulnerable to Reflected Cross-Site Scripting via search parameters in all versions up to, and including, 5.16.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-08-21
3ds -- 3dexperience	A reflected Cross-site Scripting (XSS) vulnerability affecting 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.	2024-08-20
3ds -- 3dexperience	An URL redirection to untrusted site (open redirect) vulnerability affecting 3DPassport in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to redirect users to an arbitrary website via a crafted URL.	2024-08-20
posimyththemes--The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce	The The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'res_width_value' parameter within the plugin's tp_page_scroll widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-08-20
Unknown--Chatbot with ChatGPT WordPress	The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not sanitise and escape user inputs, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins	2024-08-19
infosatech--WP Last Modified Info	The WP Last Modified Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'template' attribute of the lmt-post-modified-info shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-08-20
dfactory--responsive lightbox & gallery	The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping affecting the rl_upload_image AJAX endpoint. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the 3gp2 file.	2024-08-22
elbanyaoui--Smart Online Order for Clover	The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'moo_deactivateAndClean' function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to deactivate the plugin and drop all plugin tables from the database.	2024-08-21
danieliser--Popup Maker Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder	The Popup Maker - Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'close_text' parameter in all versions up to, and including, 1.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	2024-08-20
shawfactor--LH Add Media From URL	The LH Add Media From Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'lh_add_media_from_url-file_url' parameter in all versions up to, and including, 1.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	2024-08-21
Gitlab--Gitlab	An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection.	2024-08-22
logsign -- unified_secops_platform	Logsign Unified SecOps Platform Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the HTTP API service, which listens on TCP port 443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-25027.	2024-08-21
marla14--responsive video	The Responsive video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's video settings function in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires responsive videos to be enabled for posts.	2024-08-21
otasync--OTA Sync Booking Engine Widget	The OTA Sync Booking Engine Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.7. This is due to missing or incorrect nonce validation on the otasync_widget_settings_fnc() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-08-21
themeisle--orbit fox by themeisle	The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.10.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.	2024-08-22
dontdream--BP Profile Search	The BP Profile Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.7.5. This is due to missing or incorrect nonce validation on the bps_ajax_field_selector(), bps_ajax_template_options(), and bps_ajax_field_row() functions. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-08-20
oretnom23 -- simple_forum_website	A vulnerability, which was classified as problematic, was found in SourceCodester Simple Forum Website 1.0. This affects an unknown part of the file /registration.php of the component Signup Page. The manipulation of the argument username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-19
itsourcecode--Project Expense Monitoring System	A vulnerability classified as critical has been found in itsourcecode Project Expense Monitoring System 1.0. This affects an unknown part of the file transferred_report.php. The manipulation of the argument start/end/employee leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
itsourcecode--Project Expense Monitoring System	A vulnerability classified as critical was found in itsourcecode Project Expense Monitoring System 1.0. This vulnerability affects unknown code of the file printtransfer.php. The manipulation of the argument transfer_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
itsourcecode--Laravel Property Management System	A vulnerability was found in itsourcecode Laravel Property Management System 1.0 and classified as critical. This issue affects the function upload of the file PropertiesController.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
chillzhuang--spring blade	A vulnerability classified as critical has been found in chillzhuang SpringBlade 4.1.0. Affected is an unknown function of the file /api/blade-system/menu/list?updatexml. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-08-21
GitLab--GitLab	A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer.	2024-08-22
TOTOLINK--AC1200 T8	A vulnerability has been found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228 and classified as critical. Affected by this vulnerability is the function setDiagnosisCfg. The manipulation leads to os command injection. The attack can be launched remotely. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-08-22
TOTOLINK--AC1200 T8	A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228. It has been classified as critical. This affects the function setTracerouteCfg. The manipulation leads to os command injection. It is possible to initiate the attack remotely. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-08-22
sourcecodester--online health care system	A vulnerability classified as critical has been found in SourceCodester Online Health Care System 1.0. Affected is an unknown function of the file search.php. The manipulation of the argument f_name with the input 1%' or 1=1 ) UNION SELECT 1,2,3,4,5,database(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23# as part of string leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-22
sourcecodester--online computer and laptop store	A vulnerability, which was classified as critical, has been found in SourceCodester Online Computer and Laptop Store 1.0. Affected by this issue is some unknown functionality of the file /php-ocls/classes/Master.php?f=pay_order. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.	2024-08-22
Source Codester--E-Commerce System	A vulnerability was found in SourceCodester E-Commerce System 1.0 and classified as critical. This issue affects some unknown processing of the file /ecommerce/popup_Item.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-22
Source Codester--E-Commerce System	A vulnerability was found in SourceCodester E-Commerce System 1.0. It has been classified as critical. Affected is an unknown function of the file /ecommerce/admin/products/controller.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-23
D-Link--DNS120	A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability affects the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.	2024-08-24
D-Link--DNS120	A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This issue affects the function cgi_add_zip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.	2024-08-24
D-Link-DNS120	A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_s3_modify of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_job_name leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.	2024-08-24
D-Link--DNS120	A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.	2024-08-24
D-Link-DNS120	A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.	2024-08-24
D-Link--DNS120	A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function webdav_mgr of the file /cgi-bin/webdav_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.	2024-08-24
D-Link--DNS120	A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_R5_SpareDsk_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.	2024-08-24
D-Link--DNS120	A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.	2024-08-24
Go-Tribe--gotribe	A vulnerability classified as critical has been found in Go-Tribe gotribe up to cd3ccd32cd77852c9ea73f986eaf8c301cfb6310. Affected is the function Sign of the file pkg/token/token.go. The manipulation of the argument config.key leads to hard-coded credentials. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as 4fb9b9e80a2beedd09d9fde4b9cf5bd510baf18f. It is recommended to apply a patch to fix this issue.	2024-08-24
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: iio: adc: men_z188_adc: Fix a resource leak in an error handling path If iio_device_register() fails, a previous ioremap() is left unbalanced. Update the error handling path and add the missing iounmap() call, as already done in the remove function.	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to out of bounds access into reg2btf_ids. When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier reg type to the appropriate btf_vmlinux BTF ID, however commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX \| PTR_MAYBE_NULL") moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after the base register types, and defined other variants using type flag composition. However, now, the direct usage of reg->type to index into reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to out of bounds access and kernel crash on dereference of bad pointer.	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: RDMA/ib_srp: Fix a deadlock Remove the flush_workqueue(system_long_wq) call since flushing system_long_wq is deadlock-prone and since that call is redundant with a preceding cancel_work_sync()	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DR, Fix slab-out-of-bounds in mlx5_cmd_dr_create_fte When adding a rule with 32 destinations, we hit the following out-of-band access issue: BUG: KASAN: slab-out-of-bounds in mlx5_cmd_dr_create_fte+0x18ee/0x1e70 This patch fixes the issue by both increasing the allocated buffers to accommodate for the needed actions and by checking the number of actions to prevent this issue when a rule with too many actions is provided.	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memory leak during stateful obj update stateful objects can be updated from the control plane. The transaction logic allocates a temporary object for this purpose. The ->init function was called for this object, so plain kfree() leaks resources. We must call ->destroy function of the object. nft_obj_destroy does this, but it also decrements the module refcount, but the update path doesn't increment it. To avoid special-casing the update object release, do module_get for the update case too and release it via nft_obj_destroy().	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() ida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX) inclusive. So NFP_MAX_MAC_INDEX (0xff) is a valid id. In order for the error handling path to work correctly, the 'invalid' value for 'ida_idx' should not be in the 0..NFP_MAX_MAC_INDEX range, inclusive. So set it to -1.	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block.	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: gso: do not skip outer ip header in case of ipip and net_failover We encounter a tcp drop issue in our cloud environment. Packet GROed in host forwards to a VM virtio_net nic with net_failover enabled. VM acts as a IPVS LB with ipip encapsulation. The full path like: host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat -> ipip encap -> net_failover tx -> virtio_net tx When net_failover transmits a ipip pkt (gso_type = 0x0103, which means SKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso did because it supports TSO and GSO_IPXIP4. But network_header points to inner ip header. Call Trace: tcp4_gso_segment ------> return NULL inet_gso_segment ------> inner iph, network_header points to ipip_gso_segment inet_gso_segment ------> outer iph skb_mac_gso_segment Afterwards virtio_net transmits the pkt, only inner ip header is modified. And the outer one just keeps unchanged. The pkt will be dropped in remote host. Call Trace: inet_gso_segment ------> inner iph, outer iph is skipped skb_mac_gso_segment __skb_gso_segment validate_xmit_skb validate_xmit_skb_list sch_direct_xmit __qdisc_run __dev_queue_xmit ------> virtio_net dev_hard_start_xmit __dev_queue_xmit ------> net_failover ip_finish_output2 ip_output iptunnel_xmit ip_tunnel_xmit ipip_tunnel_xmit ------> ipip dev_hard_start_xmit __dev_queue_xmit ip_finish_output2 ip_output ip_forward ip_rcv __netif_receive_skb_one_core netif_receive_skb_internal napi_gro_receive receive_buf virtnet_poll net_rx_action The root cause of this issue is specific with the rare combination of SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option. SKB_GSO_DODGY is set from external virtio_net. We need to reset network header when callbacks.gso_segment() returns NULL. This patch also includes ipv6_gso_segment(), considering SIT, etc.	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: CDC-NCM: avoid overflow in sanity checking A broken device may give an extreme offset like 0xFFF0 and a reasonable length for a fragment. In the sanity check as formulated now, this will create an integer overflow, defeating the sanity check. Both offset and offset + len need to be checked in such a manner that no overflow can occur. And those quantities should be unsigned.	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to incorrect copy_map_value When both bpf_spin_lock and bpf_timer are present in a BPF map value, copy_map_value needs to skirt both objects when copying a value into and out of the map. However, the current code does not set both s_off and t_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock is placed in map value with bpf_timer, as bpf_map_update_elem call will be able to overwrite the other timer object. When the issue is not fixed, an overwriting can produce the following splat: [root@(none) bpf]# ./test_progs -t timer_crash [ 15.930339] bpf_testmod: loading out-of-tree module taints kernel. [ 16.037849] ================================================================== [ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325 [ 16.039399] [ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278 [ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014 [ 16.040485] Call Trace: [ 16.040645] <TASK> [ 16.040805] dump_stack_lvl+0x59/0x73 [ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.041427] kasan_report.cold+0x116/0x11b [ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.042328] ? memcpy+0x39/0x60 [ 16.042552] ? pv_hash+0xd0/0xd0 [ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0 [ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0 [ 16.043366] ? bpf_get_current_comm+0x50/0x50 [ 16.043608] ? jhash+0x11a/0x270 [ 16.043848] bpf_timer_cancel+0x34/0xe0 [ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81 [ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000 [ 16.044836] __x64_sys_nanosleep+0x5/0x140 [ 16.045119] do_syscall_64+0x59/0x80 [ 16.045377] ? lock_is_held_type+0xe4/0x140 [ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40 [ 16.046001] ? mark_held_locks+0x24/0x90 [ 16.046287] ? asm_exc_page_fault+0x1e/0x30 [ 16.046569] ? asm_exc_page_fault+0x8/0x30 [ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100 [ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 16.047405] RIP: 0033:0x7f9e4831718d [ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48 [ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023 [ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d [ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0 [ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0 [ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30 [ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 16.051608] </TASK> [ 16.051762] ==================================================================	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: hwmon: Handle failure to register sensor with thermal zone correctly If an attempt is made to a sensor with a thermal zone and it fails, the call to devm_thermal_zone_of_sensor_register() may return -ENODEV. This may result in crashes similar to the following. Unable to handle kernel NULL pointer dereference at virtual address 00000000000003cd ... Internal error: Oops: 96000021 [#1] PREEMPT SMP ... pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mutex_lock+0x18/0x60 lr : thermal_zone_device_update+0x40/0x2e0 sp : ffff800014c4fc60 x29: ffff800014c4fc60 x28: ffff365ee3f6e000 x27: ffffdde218426790 x26: ffff365ee3f6e000 x25: 0000000000000000 x24: ffff365ee3f6e000 x23: ffffdde218426870 x22: ffff365ee3f6e000 x21: 00000000000003cd x20: ffff365ee8bf3308 x19: ffffffffffffffed x18: 0000000000000000 x17: ffffdde21842689c x16: ffffdde1cb7a0b7c x15: 0000000000000040 x14: ffffdde21a4889a0 x13: 0000000000000228 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000001120000 x7 : 0000000000000001 x6 : 0000000000000000 x5 : 0068000878e20f07 x4 : 0000000000000000 x3 : 00000000000003cd x2 : ffff365ee3f6e000 x1 : 0000000000000000 x0 : 00000000000003cd Call trace: mutex_lock+0x18/0x60 hwmon_notify_event+0xfc/0x110 0xffffdde1cb7a0a90 0xffffdde1cb7a0b7c irq_thread_fn+0x2c/0xa0 irq_thread+0x134/0x240 kthread+0x178/0x190 ret_from_fork+0x10/0x20 Code: d503201f d503201f d2800001 aa0103e4 (c8e47c02) Jon Hunter reports that the exact call sequence is: hwmon_notify_event() --> hwmon_thermal_notify() --> thermal_zone_device_update() --> update_temperature() --> mutex_lock() The hwmon core needs to handle all errors returned from calls to devm_thermal_zone_of_sensor_register(). If the call fails with -ENODEV, report that the sensor was not attached to a thermal zone but continue to register the hwmon device.	2024-08-22
Open-Xchange GmbH--OX App Suite	Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known.	2024-08-19
google -- nest_mini_firmware	The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices which enabled a potential man-in-the-middle attack on requests to Google cloud services by any host the traffic was routed through.	2024-08-19
n/a--n/a	Typecho v1.3.0 was discovered to contain a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses by specifying an arbitrary IP as value of X-Forwarded-For or Client-Ip headers while performing HTTP requests.	2024-08-19
N/A -- N/A	Swissphone DiCal-RED 4009 devices allow an unauthenticated attacker use a port-2101 TCP connection to gain access to operation messages that are received by the device.	2024-08-22
friendica -- friendica	Friendica 2024.03 is vulnerable to Cross Site Scripting (XSS) in settings/profile via the homepage, xmpp, and matrix parameters.	2024-08-20
ibm -- sterling_connect_direct_web_services	IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.	2024-08-22
okfn -- ckan	CKAN is an open-source data management system for powering data hubs and data portals. If there were connection issues with the Solr server, the internal Solr URL (potentially including credentials) could be leaked to package_search calls as part of the returned error message. This has been patched in CKAN 2.10.5 and 2.11.0.	2024-08-21
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow an attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. Exploitation of this issue requires user interaction, such as convincing a victim to click on a malicious link.	2024-08-23
7-twenty -- bot	7Twenty - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	2024-08-20
matrix -- javascript_sdk	matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1.	2024-08-20
mattermost -- mattermost	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which allows a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older.	2024-08-22
N/A -- N/A	A Stored Cross Site Scripting (XSS) vulnerability was found in "/history.php" in Kashipara Bus Ticket Reservation System v1.0, which allows remote attackers to execute arbitrary code via the Name, Phone, and Email parameter fields.	2024-08-22
N/A -- N/A	A Reflected Cross Site Scripting (XSS) vulnerability was found in the "/schedule.php" page of the Kashipara Bus Ticket Reservation System v1.0, which allows remote attackers to execute arbitrary code via the "bookingdate" parameter.	2024-08-22
N/A -- N/A	Kashipara Music Management System v1.0 is vulnerable to SQL Injection via /music/manage_playlist_items.php. An attacker can execute arbitrary SQL commands via the "pid" parameter.	2024-08-21
icegram--Icegram	Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24.	2024-08-19
VOID CODERS--Void Elementor Post Grid Addon for Elementor Page builder	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in VOID CODERS Void Elementor Post Grid Addon for Elementor Page builder allows PHP Local File Inclusion.This issue affects Void Elementor Post Grid Addon for Elementor Page builder: from n/a through 2.3.	2024-08-19
Jamie Bergen--Plugin Notes Plus	Missing Authorization vulnerability in Jamie Bergen Plugin Notes Plus allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Plugin Notes Plus: from n/a through 1.2.7.	2024-08-19
VeronaLabs--WPSMS	Missing Authorization vulnerability in VeronaLabs WP SMS.This issue affects WP SMS: from n/a through 6.9.3.	2024-08-22
umbraco--Umbraco-CMS	Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2.	2024-08-20
khoj-ai--khoj	Khoj is an application that creates personal AI agents. The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS. This vulnerability is fixed in 1.15.0.	2024-08-20
ruby--rexml	REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.	2024-08-22
xwiki -- xwiki	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.	2024-08-19
honojs--hono	Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8.	2024-08-22
webdevmattcrom--GiveWP Donation Plugin and Fundraising Platform	The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to read the setup wizard administrative pages.	2024-08-20
webdevmattcrom--GiveWP Donation Plugin and Fundraising Platform	The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.14.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read attachment paths and delete attachment files.	2024-08-20
3ds -- 3dexperience	A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.	2024-08-20
maxfoundry--word press button plugin maxbuttons	The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 9.7.8. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.	2024-08-24
GitLab--GitLab	An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag.	2024-08-22
flamix--Flamix: Bitrix24 and Contact Form 7 integrations	The Flamix: Bitrix24 and Contact Form 7 integrations plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.1.0. This is due the plugin utilizing mobiledetect without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.	2024-08-21
imagerecycle--ImageRecycle pdf & image compression	The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 3.1.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions, such as updating plugin settings.	2024-08-24
sersis--wordsurvey	The WordSurvey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sounding_title' parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.	2024-08-21
starkinfo--WP testimonial widget	The WP Testimonial Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnSaveTestimonailOrder function in all versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to change the order of testimonials.	2024-08-21
appcheap--App Builder – Create Native Android & iOS Apps On The Flight	The App Builder - Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to limited SQL Injection via the 'app-builder-search' parameter in all versions up to, and including, 4.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	2024-08-21
bitpressadmin--Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder	The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing input validation in the addCustomCode function in versions 2.0 to 2.13.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary JavaScript files to the affected site's server.	2024-08-20
adonesevangelista -- laravel_property_management_system	A vulnerability was found in itsourcecode Laravel Property Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/notes/create of the component Notes Page. The manipulation of the argument Note text leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
rems -- account_manager_app	A vulnerability classified as problematic was found in SourceCodester Accounts Manager App 1.0. This vulnerability affects unknown code of the file update-account.php of the component Update Account Page. The manipulation of the argument Account Name/Username/Password/Link leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
N/A -- N/A	Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: configfs: fix a race in configfs_{,un}register_subsystem() When configfs_register_subsystem() or configfs_unregister_subsystem() is executing link_group() or unlink_group(), it is possible that two processes add or delete list concurrently. Some unfortunate interleavings of them can cause kernel panic. One of cases is: A --> B --> C --> D A <-- B <-- C <-- D delete list_head B \| delete list_head C --------------------------------\|----------------------------------- configfs_unregister_subsystem \| configfs_unregister_subsystem unlink_group \| unlink_group unlink_obj \| unlink_obj list_del_init \| list_del_init __list_del_entry \| __list_del_entry __list_del \| __list_del // next == C \| next->prev = prev \| \| next->prev = prev prev->next = next \| \| // prev == B \| prev->next = next Fix this by adding mutex when calling link_group() or unlink_group(), but parent configfs_subsystem is NULL when config_item is root. So I create a mutex configfs_subsystem_mutex.	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: ice: fix concurrent reset and removal of VFs Commit c503e63200c6 ("ice: Stop processing VF messages during teardown") introduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is intended to prevent some issues with concurrently handling messages from VFs while tearing down the VFs. This change was motivated by crashes caused while tearing down and bringing up VFs in rapid succession. It turns out that the fix actually introduces issues with the VF driver caused because the PF no longer responds to any messages sent by the VF during its .remove routine. This results in the VF potentially removing its DMA memory before the PF has shut down the device queues. Additionally, the fix doesn't actually resolve concurrency issues within the ice driver. It is possible for a VF to initiate a reset just prior to the ice driver removing VFs. This can result in the remove task concurrently operating while the VF is being reset. This results in similar memory corruption and panics purportedly fixed by that commit. Fix this concurrency at its root by protecting both the reset and removal flows using the existing VF cfg_lock. This ensures that we cannot remove the VF while any outstanding critical tasks such as a virtchnl message or a reset are occurring. This locking change also fixes the root cause originally fixed by commit c503e63200c6 ("ice: Stop processing VF messages during teardown"), so we can simply revert it. Note that I kept these two changes together because simply reverting the original commit alone would leave the driver vulnerable to worse race conditions.	2024-08-22
sasiddiqui--Custom Permalinks	The Custom Permalinks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.0 due to insufficient input sanitization and output escaping on tag names. This allows authenticated users, with editor-level permissions or greater to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, even when 'unfiltered_html' has been disabled.	2024-08-24
GitLab--GitLab	An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.	2024-08-22
N/A -- WP Table Builder	The WP Table Builder WordPress plugin through 1.5.0 does not sanitise and escape some of its Table data, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)	2024-08-23
Spring--Spring Framework	In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.	2024-08-20
ibm -- sterling_connect_direct_web_services	IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.	2024-08-22
mattermost -- mattermost	Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the Elasticsearch system console to add any file as a CA path field, such as /dev/zero and, after testing the connection, cause the application to crash.	2024-08-22
Priority--Priority	Priority - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor	2024-08-20
Priority--Priority	Priority - CWE-552: Files or Directories Accessible to External Parties	2024-08-20
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.	2024-08-23
Adobe--Adobe Experience Manager	Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Input Validation vulnerability that could lead to a security feature bypass. An low-privileged attacker could leverage this vulnerability to slightly affect the integrity of the page. Exploitation of this issue requires user interaction and scope is changed.	2024-08-23
N/A -- N/A	A Stored Cross Site Scripting (XSS) vulnerability was found in "/core/signup_user.php" of Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via the "user_email" parameter.	2024-08-22
N/A -- N/A	A Stored Cross Site Scripting (XSS) vulnerability was found in " /admin/edit_room_controller.php" of the Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "room_name" parameter.	2024-08-22
N/A -- N/A	A cross-site scripting (XSS) vulnerability in the component /index/index.html of YZNCMS v1.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the configured remarks text field.	2024-08-21
N/A -- N/A	autMan v2.9.6 was discovered to contain an access control issue.	2024-08-23
N/A -- N/A	autMan v2.9.6 allows attackers to bypass authentication via a crafted web request.	2024-08-23
mattermost-mattermost	Mattermost Plugin Channel Export versions <=1.0.0 fail to restrict concurrent runs of the /export command which allows a user to consume excessive resource by running the /export command multiple times at once.	2024-08-23
Scott Paterson--Easy PayPal Buy Now Button	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Scott Paterson Easy PayPal Buy Now Button.This issue affects Easy PayPal Buy Now Button: from n/a through 1.9.	2024-08-19
Salon Booking System--Salon booking system	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Salon Booking System Salon booking system.This issue affects Salon booking system: from n/a through 10.8.1.	2024-08-19
Metagauss User Registration Team--RegistrationMagic	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Metagauss User Registration Team RegistrationMagic allows Cross-Site Scripting (XSS).This issue affects RegistrationMagic: from n/a through 6.0.1.0.	2024-08-19
umbraco--Umbraco-CMS	Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2.	2024-08-20
apolloconfig--apollo	Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0.	2024-08-20
Mattermost--Mattermost	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.	2024-08-22
vim--vim	Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.	2024-08-22
mattermost -- mattermost	Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.	2024-08-22
clevelandwebdeveloper--hide my site	The Hide My Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 due to the plugin not restricting access to the REST API when password protection is enabled. This makes it possible for unauthenticated attackers to gain unauthorized access to the site.	2024-08-21
Grafana-Grafana	Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.	2024-08-20
sethshoultes--Event Espresso – Event Registration & Ticketing Sales	The Event Espresso 4 Decaf - Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to, and including, 5.0.22.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings.	2024-08-21
elbanyaoui--Smart Online Order for Clover	The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update product and category descriptions, category titles and images, and sort order.	2024-08-21
F5--NGINX Agents	NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory.	2024-08-22
themifyme--Themify Builder	The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them.	2024-08-22
deepakkite--User Private Files – WordPress File Sharing Plugin	The User Private Files - WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'dpk_upvf_update_doc' due to missing validation on the 'docid' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to gain access to other user's private files.	2024-08-22
n/a--FastAdmin	A vulnerability, which was classified as problematic, has been found in FastAdmin up to 1.3.3.20220121. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.4.20220530 is able to address this issue. It is recommended to upgrade the affected component.	2024-08-19
google -- chrome	Inappropriate implementation in Permissions in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)	2024-08-21
google -- chrome	Inappropriate implementation in FedCM in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)	2024-08-21
google -- chrome	Insufficient policy enforcement in Data Transfer in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)	2024-08-21
google -- chrome	Inappropriate implementation in Views in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)	2024-08-21
Google--Chrome	Inappropriate implementation in WebApp Installs in Google Chrome on Windows prior to 128.0.6613.84 allowed an attacker who convinced a user to install a malicious application to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)	2024-08-21
google -- chrome	Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)	2024-08-21
google -- chrome	Inappropriate implementation in Extensions in Google Chrome on Windows prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)	2024-08-21
Thinkgem--JeeSite	A vulnerability was found in thinkgem JeeSite 5.3. It has been rated as problematic. This issue affects some unknown processing of the file /js/a/login of the component Cookie Handler. The manipulation of the argument skinName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-23
ImageRecycle--ImageRecycle pdf & image compression	The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.14. This is due to missing or incorrect nonce validation on several functions in the class/class-image-otimizer.php file. This makes it possible for unauthenticated attackers to update plugin settings along with performing other actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	2024-08-24

Low Vulnerabilities

Primary Vendor -- Product	Description	Published
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: io_uring: add a schedule point in io_add_buffers() Looping ~65535 times doing kmalloc() calls can trigger soft lockups, especially with DEBUG features (like KASAN). [ 253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b219417889:12575] [ 253.544433] Modules linked in: vfat fat i2c_mux_pca954x i2c_mux spidev cdc_acm xhci_pci xhci_hcd sha3_generic gq(O) [ 253.544451] CPU: 64 PID: 12575 Comm: b219417889 Tainted: G S O 5.17.0-smp-DEV #801 [ 253.544457] RIP: 0010:kernel_text_address (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98) [ 253.544464] Code: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb <48> c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40 [ 253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246 [ 253.544471] RAX: 1ffff1105b175e00 RBX: ffffffffa13ef09a RCX: 00000000a13ef001 [ 253.544474] RDX: ffffffffa13ef09a RSI: ffff8882d8baf558 RDI: ffffffffa13ef09a [ 253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 0000000000000004 [ 253.544479] R10: ffff8882d8baf5e8 R11: ffffffffa0d59a50 R12: ffff8882eab20380 [ 253.544481] R13: ffffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0 [ 253.544483] FS: 00000000016d3380(0000) GS:ffff88af48c00000(0000) knlGS:0000000000000000 [ 253.544486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 253.544488] CR2: 00000000004af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0 [ 253.544491] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 253.544492] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 253.544494] Call Trace: [ 253.544496] <TASK> [ 253.544498] ? io_queue_sqe (fs/io_uring.c:7143) [ 253.544505] __kernel_text_address (kernel/extable.c:78) [ 253.544508] unwind_get_return_address (arch/x86/kernel/unwind_frame.c:19) [ 253.544514] arch_stack_walk (arch/x86/kernel/stacktrace.c:27) [ 253.544517] ? io_queue_sqe (fs/io_uring.c:7143) [ 253.544521] stack_trace_save (kernel/stacktrace.c:123) [ 253.544527] ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) [ 253.544531] ? ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) [ 253.544533] ? __kasan_kmalloc (mm/kasan/common.c:524) [ 253.544535] ? kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544541] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544544] ? __io_queue_sqe (fs/io_uring.c:?) [ 253.544551] __kasan_kmalloc (mm/kasan/common.c:524) [ 253.544553] kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544556] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544560] io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544564] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544567] ? __kasan_slab_alloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544569] ? kmem_cache_alloc_bulk (mm/slab.h:732 mm/slab.c:3546) [ 253.544573] ? __io_alloc_req_refill (fs/io_uring.c:2078) [ 253.544578] ? io_submit_sqes (fs/io_uring.c:7441) [ 253.544581] ? __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096) [ 253.544584] ? __x64_sys_io_uring_enter (fs/io_uring.c:10096) [ 253.544587] ? do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 253.544590] ? entry_SYSCALL_64_after_hwframe (??:?) [ 253.544596] __io_queue_sqe (fs/io_uring.c:?) [ 253.544600] io_queue_sqe (fs/io_uring.c:7143) [ 253.544603] io_submit_sqe (fs/io_uring.c:?) [ 253.544608] io_submit_sqes (fs/io_uring.c:?) [ 253.544612] __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uri ---truncated---	2024-08-22
linux -- linux_kernel	In the Linux kernel, the following vulnerability has been resolved: bpf: Add schedule points in batch ops syzbot reported various soft lockups caused by bpf batch operations. INFO: task kworker/1:1:27 blocked for more than 140 seconds. INFO: task hung in rcu_barrier Nothing prevents batch ops to process huge amount of data, we need to add schedule points in them. Note that maybe_wait_bpf_programs(map) calls from generic_map_delete_batch() can be factorized by moving the call after the loop. This will be done later in -next tree once we get this fix merged, unless there is strong opinion doing this optimization sooner.	2024-08-22
mattermost -- mattermost	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server."	2024-08-22
trufflesecurity -- trufflehog	TruffleHog is a secrets scanning tool. Prior to v3.81.9, this vulnerability allows a malicious actor to craft data in a way that, when scanned by specific detectors, could trigger the detector to make an unauthorized request to an endpoint chosen by the attacker. For an exploit to be effective, the target endpoint must be an unauthenticated GET endpoint that produces side effects. The victim must scan the maliciously crafted data and have such an endpoint targeted for the exploit to succeed. The vulnerability has been resolved in TruffleHog v3.81.9 and later versions.	2024-08-19
ckeditor--ckeditor4	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us. The fix is available in version 4.25.0-lts.	2024-08-21
SourceCodester--Leads Manager Tool	A vulnerability has been found in SourceCodester Leads Manager Tool 1.0 and classified as problematic. This vulnerability affects unknown code of the file update-leads.php. The manipulation of the argument phone_number leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-20
Genexis--Tilgin Home Gateway	A vulnerability was found in Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05. It has been rated as problematic. This issue affects some unknown processing of the file /vood/cgi-bin/vood_view.cgi?lang=EN&act=user/spec_conf&sessionId=86213915328111654515&user=A&message2user=Account%20updated. The manipulation of the argument Phone Number leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	2024-08-21
SourceCodester--Record Management System	A vulnerability, which was classified as problematic, was found in SourceCodester Record Management System 1.0. This affects an unknown part of the file sort1_user.php. The manipulation of the argument position leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-24
SourceCodester--Record Management System	A vulnerability has been found in SourceCodester Record Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file search_user.php. The manipulation of the argument search leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.	2024-08-24
mattermost--mattermost	Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.	2024-08-22
Byron--gitoxide	gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters-including those that form ANSI escape sequences-that appear in a repository's paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages when an operation fails. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages.	2024-08-22
Octopuc Deploy--Octopus Server	In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.	2024-08-21
SourceCodester--Online Computer and Laptop Store	A vulnerability, which was classified as problematic, was found in SourceCodester Online Computer and Laptop Store 1.0. This affects an unknown part of the file /php-ocls/classes/SystemSettings.php?f=update_settings of the component Setting Handler. The manipulation of the argument System Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.	2024-08-22

Severity Not Yet Assigned

Primary Vendor -- Product	Description	Published	CVSS Score
N/A -- N/A	Python Pip Pandas v2.2.2 was discovered to contain an arbitrary file read vulnerability.	2024-08-23	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op() In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(), which could lead to a NULL pointer dereference on failure of kzalloc(). Fix this bug by adding a check of tmpbuf. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings, and our static analyzer no longer warns about this code.	2024-08-22	not yet calculated
OpenText--Performance Center	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in OpenText Performance Center on Windows allows Retrieve Embedded Sensitive Data.This issue affects Performance Center: 12.63.	2024-08-21	not yet calculated
OpenText--Performance Center	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText Performance Center on Windows allows Cross-Site Scripting (XSS).This issue affects Performance Center: 12.63.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Prevent use after free on completion memory On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs(). If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below: BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drv_disable_wq()->idxd_wq_free_resources() Fix the use after free by freeing the descriptors after any possible usage. This is done after idxd_wq_reset() to ensure that the memory remains accessible during possible completion writes by the device.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Let probe fail when workqueue cannot be enabled The workqueue is enabled when the appropriate driver is loaded and disabled when the driver is removed. When the driver is removed it assumes that the workqueue was enabled successfully and proceeds to free allocations made during workqueue enabling. Failure during workqueue enabling does not prevent the driver from being loaded. This is because the error path within drv_enable_wq() returns success unless a second failure is encountered during the error path. By returning success it is possible to load the driver even if the workqueue cannot be enabled and allocations that do not exist are attempted to be freed during driver remove. Some examples of problematic flows: (a) idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq(): In above flow, if idxd_wq_request_irq() fails then idxd_wq_unmap_portal() is called on error exit path, but drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The driver is thus loaded successfully. idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal() Above flow on driver unload triggers the WARN in devm_iounmap() because the device resource has already been removed during error path of drv_enable_wq(). (b) idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq(): In above flow, if idxd_wq_request_irq() fails then idxd_wq_init_percpu_ref() is never called to initialize the percpu counter, yet the driver loads successfully because drv_enable_wq() returns 0. idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill(): Above flow on driver unload triggers a BUG when attempting to drop the initial ref of the uninitialized percpu ref: BUG: kernel NULL pointer dereference, address: 0000000000000010 Fix the drv_enable_wq() error path by returning the original error that indicates failure of workqueue enabling. This ensures that the probe fails when an error is encountered and the driver remove paths are only attempted when the workqueue was enabled successfully.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: USB: gadgetfs: Fix race between mounting and unmounting The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super() can race with gadgetfs_kill_sb(), causing the latter to deallocate the_device while the former is using it. The output from KASAN says, in part: BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689 CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> ... atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 vfs_get_super fs/super.c:1190 [inline] get_tree_single+0xd0/0x160 fs/super.c:1207 vfs_get_tree+0x88/0x270 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline] The simplest solution is to ensure that gadgetfs_fill_super() and gadgetfs_kill_sb() are serialized by making them both acquire a new mutex.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: tty: fix possible null-ptr-defer in spk_ttyio_release Run the following tests on the qemu platform: syzkaller:~# modprobe speakup_audptr input: Speakup as /devices/virtual/input/input4 initialized device: /dev/synth, node (MAJOR 10, MINOR 125) speakup 3.1.6: initialized synth name on entry is: (null) synth probe spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned failed (errno -16), then remove the module, we will get a null-ptr-defer problem, as follow: syzkaller:~# modprobe -r speakup_audptr releasing synth audptr BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1 RIP: 0010:mutex_lock+0x14/0x30 Call Trace: <TASK> spk_ttyio_release+0x19/0x70 [speakup] synth_release.part.6+0xac/0xc0 [speakup] synth_remove+0x56/0x60 [speakup] __x64_sys_delete_module+0x156/0x250 ? fpregs_assert_state_consistent+0x1d/0x50 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> Modules linked in: speakup_audptr(-) speakup Dumping ftrace buffer: in_synth->dev was not initialized during modprobe, so we add check for in_synth->dev to fix this bug.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on default RX FIFO depth, e.g. 16. Later during serial startup the qcom_geni_serial_port_setup() updates the RX FIFO depth (port->rx_fifo_depth) to match real device capabilities, e.g. to 32. The RX UART handle code will read "port->rx_fifo_depth" number of words into "port->rx_fifo" buffer, thus exceeding the bounds. This can be observed in certain configurations with Qualcomm Bluetooth HCI UART device and KASAN: Bluetooth: hci0: QCA Product ID :0x00000010 Bluetooth: hci0: QCA SOC Version :0x400a0200 Bluetooth: hci0: QCA ROM Version :0x00000200 Bluetooth: hci0: QCA Patch Version:0x00000d2b Bluetooth: hci0: QCA controller version 0x02000200 Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2 Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2) Bluetooth: hci0: QCA Failed to download patch (-2) ================================================================== BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c Write of size 4 at addr ffff279347d578c0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 show_stack+0x18/0x40 dump_stack_lvl+0x8c/0xb8 print_report+0x188/0x488 kasan_report+0xb4/0x100 __asan_store4+0x80/0xa4 handle_rx_uart+0xa8/0x18c qcom_geni_serial_handle_rx+0x84/0x9c qcom_geni_serial_isr+0x24c/0x760 __handle_irq_event_percpu+0x108/0x500 handle_irq_event+0x6c/0x110 handle_fasteoi_irq+0x138/0x2cc generic_handle_domain_irq+0x48/0x64 If the RX FIFO depth changes after probe, be sure to resize the buffer.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix use-after-free race condition for maps It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted. Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. Propagate this to callers so they can know if a map is about to be deleted. Fixes this warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate ... Call trace: refcount_warn_saturate [fastrpc_map_get inlined] [fastrpc_map_lookup inlined] fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_syscall	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Don't remove map on creater_process and device_release Do not remove the map from the list on error path in fastrpc_init_create_process, instead call fastrpc_map_put, to avoid use-after-free. Do not remove it on fastrpc_device_release either, call fastrpc_map_put instead. The fastrpc_free_map is the only proper place to remove the map. This is called only after the reference count is 0.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix use-after-free and race in fastrpc_map_find Currently, there is a race window between the point when the mutex is unlocked in fastrpc_map_lookup and the reference count increasing (fastrpc_map_get) in fastrpc_map_find, which can also lead to use-after-free. So lets merge fastrpc_map_find into fastrpc_map_lookup which allows us to both protect the maps list by also taking the &fl->lock spinlock and the reference count, since the spinlock will be released only after. Add take_ref argument to make this suitable for all callers.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: sdata can be NULL during AMPDU start ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a deauthentication is ongoing. Here a trace triggering the race with the hostapd test multi_ap_fronthaul_on_ap: (gdb) list *drv_ampdu_action+0x46 0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396). 391 int ret = -EOPNOTSUPP; 392 393 might_sleep(); 394 395 sdata = get_bss_sdata(sdata); 396 if (!check_sdata_in_driver(sdata)) 397 return -EIO; 398 399 trace_drv_ampdu_action(local, sdata, params); 400 wlan0: moving STA 02:00:00:00:03:00 to state 3 wlan0: associated wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING) wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0 wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port) wlan0: moving STA 02:00:00:00:03:00 to state 2 wlan0: moving STA 02:00:00:00:03:00 to state 1 wlan0: Removed STA 02:00:00:00:03:00 wlan0: Destroyed STA 02:00:00:00:03:00 BUG: unable to handle page fault for address: fffffffffffffb48 PGD 11814067 P4D 11814067 PUD 11816067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 Workqueue: phy3 ieee80211_ba_session_work [mac80211] RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211] Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85 RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287 RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240 RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40 RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0 R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8 FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0 Call Trace: <TASK> ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211] ieee80211_ba_session_work+0xff/0x2e0 [mac80211] process_one_work+0x29f/0x620 worker_thread+0x4d/0x3d0 ? process_one_work+0x620/0x620 kthread+0xfb/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK>	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix initialization of rx->link and rx->link_sta There are some codepaths that do not initialize rx->link_sta properly. This causes a crash in places which assume that rx->link_sta is valid if rx->sta is valid. One known instance is triggered by __ieee80211_rx_h_amsdu being called from fast-rx. It results in a crash like this one: BUG: kernel NULL pointer dereference, address: 00000000000000a8 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G E 6.1.0-debian64x+1.7 #3 Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014 RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211] Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48 83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0 11 00 00 8d 50 fd 83 fa 01 RSP: 0018:ffff999040803b10 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900 R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000 FS: 0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0 Call Trace: <TASK> __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211] ? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211] ? __local_bh_enable_ip+0x3b/0xa0 ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211] ? prepare_transfer+0x109/0x1a0 [xhci_hcd] ieee80211_rx_list+0xa80/0xda0 [mac80211] mt76_rx_complete+0x207/0x2e0 [mt76] mt76_rx_poll_complete+0x357/0x5a0 [mt76] mt76u_rx_worker+0x4f5/0x600 [mt76_usb] ? mt76_get_min_avg_rssi+0x140/0x140 [mt76] __mt76_worker_fn+0x50/0x80 [mt76] kthread+0xed/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Since the initialization of rx->link and rx->link_sta is rather convoluted and duplicated in many places, clean it up by using a helper function to set it. [remove unnecessary rx->sta->sta.mlo check]	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: f2fs: let's avoid panic if extent_tree is not created This patch avoids the below panic. pc : __lookup_extent_tree+0xd8/0x760 lr : f2fs_do_write_data_page+0x104/0x87c sp : ffffffc010cbb3c0 x29: ffffffc010cbb3e0 x28: 0000000000000000 x27: ffffff8803e7f020 x26: ffffff8803e7ed40 x25: ffffff8803e7f020 x24: ffffffc010cbb460 x23: ffffffc010cbb480 x22: 0000000000000000 x21: 0000000000000000 x20: ffffffff22e90900 x19: 0000000000000000 x18: ffffffc010c5d080 x17: 0000000000000000 x16: 0000000000000020 x15: ffffffdb1acdbb88 x14: ffffff888759e2b0 x13: 0000000000000000 x12: ffffff802da49000 x11: 000000000a001200 x10: ffffff8803e7ed40 x9 : ffffff8023195800 x8 : ffffff802da49078 x7 : 0000000000000001 x6 : 0000000000000000 x5 : 0000000000000006 x4 : ffffffc010cbba28 x3 : 0000000000000000 x2 : ffffffc010cbb480 x1 : 0000000000000000 x0 : ffffff8803e7ed40 Call trace: __lookup_extent_tree+0xd8/0x760 f2fs_do_write_data_page+0x104/0x87c f2fs_write_single_data_page+0x420/0xb60 f2fs_write_cache_pages+0x418/0xb1c __f2fs_write_data_pages+0x428/0x58c f2fs_write_data_pages+0x30/0x40 do_writepages+0x88/0x190 __writeback_single_inode+0x48/0x448 writeback_sb_inodes+0x468/0x9e8 __writeback_inodes_wb+0xb8/0x2a4 wb_writeback+0x33c/0x740 wb_do_writeback+0x2b4/0x400 wb_workfn+0xe4/0x34c process_one_work+0x24c/0x5bc worker_thread+0x3e8/0xa50 kthread+0x150/0x1b4	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_qca: Fix driver shutdown on closed serdev The driver shutdown callback (which sends EDL_SOC_RESET to the device over serdev) should not be invoked when HCI device is not open (e.g. if hci_dev_open_sync() failed), because the serdev and its TTY are not open either. Also skip this step if device is powered off (qca_power_shutdown()). The shutdown callback causes use-after-free during system reboot with Qualcomm Atheros Bluetooth: Unable to handle kernel paging request at virtual address 0072662f67726fd7 ... CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W 6.1.0-rt5-00325-g8a5f56bcfcca #8 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: tty_driver_flush_buffer+0x4/0x30 serdev_device_write_flush+0x24/0x34 qca_serdev_shutdown+0x80/0x130 [hci_uart] device_shutdown+0x15c/0x260 kernel_restart+0x48/0xac KASAN report: BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50 Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1 CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xdc/0xf0 show_stack+0x18/0x30 dump_stack_lvl+0x68/0x84 print_report+0x188/0x488 kasan_report+0xa4/0xf0 __asan_load8+0x80/0xac tty_driver_flush_buffer+0x1c/0x50 ttyport_write_flush+0x34/0x44 serdev_device_write_flush+0x48/0x60 qca_serdev_shutdown+0x124/0x274 device_shutdown+0x1e8/0x350 kernel_restart+0x48/0xb0 __do_sys_reboot+0x244/0x2d0 __arm64_sys_reboot+0x54/0x70 invoke_syscall+0x60/0x190 el0_svc_common.constprop.0+0x7c/0x160 do_el0_svc+0x44/0xf0 el0_svc+0x2c/0x6c el0t_64_sync_handler+0xbc/0x140 el0t_64_sync+0x190/0x194	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: efi: fix NULL-deref in init error path In cases where runtime services are not supported or have been disabled, the runtime services workqueue will never have been allocated. Do not try to destroy the workqueue unconditionally in the unlikely event that EFI initialisation fails to avoid dereferencing a NULL pointer.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: platform/surface: aggregator: Add missing call to ssam_request_sync_free() Although rare, ssam_request_sync_init() can fail. In that case, the request should be freed via ssam_request_sync_free(). Currently it is leaked instead. Fix this.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: Fix refcount leak in amd_pmc_probe pci_get_domain_bus_and_slot() takes reference, the caller should release the reference by calling pci_dev_put() after use. Call pci_dev_put() in the error path to fix this.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY) Upon updating MAC security entity (SecY) in hw offload path, the macsec security association (SA) initialization routine is called. In case of extended packet number (epn) is enabled the salt and ssci attributes are retrieved using the MACsec driver rx_sa context which is unavailable when updating a SecY property such as encoding-sa hence the null dereference. Fix by using the provided SA to set those attributes.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent A user is able to configure an arbitrary number of rx queues when creating an interface via netlink. This doesn't work for child PKEY interfaces because the child interface uses the parent receive channels. Although the child shares the parent's receive channels, the number of rx queues is important for the channel_stats array: the parent's rx channel index is used to access the child's channel_stats. So the array has to be at least as large as the parent's rx queue size for the counting to work correctly and to prevent out of bound accesses. This patch checks for the mentioned scenario and returns an error when trying to create the interface. The error is propagated to the user.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix command stats access after free Command may fail while driver is reloading and can't accept FW commands till command interface is reinitialized. Such command failure is being logged to command stats. This results in NULL pointer access as command stats structure is being freed and reallocated during mlx5 devlink reload (see kernel log below). Fix it by making command stats statically allocated on driver probe. Kernel log: [ 2394.808802] BUG: unable to handle kernel paging request at 000000000002a9c0 [ 2394.810610] PGD 0 P4D 0 [ 2394.811811] Oops: 0002 [#1] SMP NOPTI ... [ 2394.815482] RIP: 0010:native_queued_spin_lock_slowpath+0x183/0x1d0 ... [ 2394.829505] Call Trace: [ 2394.830667] _raw_spin_lock_irq+0x23/0x26 [ 2394.831858] cmd_status_err+0x55/0x110 [mlx5_core] [ 2394.833020] mlx5_access_reg+0xe7/0x150 [mlx5_core] [ 2394.834175] mlx5_query_port_ptys+0x78/0xa0 [mlx5_core] [ 2394.835337] mlx5e_ethtool_get_link_ksettings+0x74/0x590 [mlx5_core] [ 2394.836454] ? kmem_cache_alloc_trace+0x140/0x1c0 [ 2394.837562] __rh_call_get_link_ksettings+0x33/0x100 [ 2394.838663] ? __rtnl_unlock+0x25/0x50 [ 2394.839755] __ethtool_get_link_ksettings+0x72/0x150 [ 2394.840862] duplex_show+0x6e/0xc0 [ 2394.841963] dev_attr_show+0x1c/0x40 [ 2394.843048] sysfs_kf_seq_show+0x9b/0x100 [ 2394.844123] seq_read+0x153/0x410 [ 2394.845187] vfs_read+0x91/0x140 [ 2394.846226] ksys_read+0x4f/0xb0 [ 2394.847234] do_syscall_64+0x5b/0x1a0 [ 2394.848228] entry_SYSCALL_64_after_hwframe+0x65/0xca	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: ice: Fix potential memory leak in ice_gnss_tty_write() The ice_gnss_tty_write() return directly if the write_buf alloc failed, leaking the cmd_buf. Fix by free cmd_buf if write_buf alloc failed.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: ice: Add check for kzalloc Add the check for the return value of kzalloc in order to avoid NULL pointer dereference. Moreover, use the goto-label to share the clean code.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Remove rcu locks from user resources User resource lookups used rcu to avoid two extra atomics. Unfortunately the rcu paths were buggy and it was easy to make the driver crash by submitting command buffers from two different threads. Because the lookups never show up in performance profiles replace them with a regular spin lock which fixes the races in accesses to those shared resources. Fixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and seen crashes with apps using shared resources.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path of_icc_get() alloc resources for path1, we should release it when not need anymore. Early return when IS_ERR_OR_NULL(path0) may leak path1. Defer getting path1 to fix this. Patchwork: https://patchwork.freedesktop.org/patch/514264/	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof-nau8825: fix module alias overflow The maximum name length for a platform_device_id entry is 20 characters including the trailing NUL byte. The sof_nau8825.c file exceeds that, which causes an obscure error message: sound/soc/intel/boards/snd-soc-sof_nau8825.mod.c:35:45: error: illegal character encoding in string literal [-Werror,-Winvalid-source-encoding] MODULE_ALIAS("platform:adl_max98373_nau8825<U+0018><AA>"); ^~~~ include/linux/module.h:168:49: note: expanded from macro 'MODULE_ALIAS' ^~~~~~ include/linux/module.h:165:56: note: expanded from macro 'MODULE_INFO' ^~~~ include/linux/moduleparam.h:26:47: note: expanded from macro '__MODULE_INFO' = __MODULE_INFO_PREFIX __stringify(tag) "=" info I could not figure out how to make the module handling robust enough to handle this better, but as a quick fix, using slightly shorter names that are still unique avoids the build issue.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM storvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(), which in a confidential VM allocates swiotlb bounce buffers. If the I/O submission fails in storvsc_do_io(), the I/O is typically retried by higher level code, but the bounce buffer memory is never freed. The mostly like cause of I/O submission failure is a full VMBus channel ring buffer, which is not uncommon under high I/O loads. Eventually enough bounce buffer memory leaks that the confidential VM can't do any I/O. The same problem can arise in a non-confidential VM with kernel boot parameter swiotlb=force. Fix this by doing scsi_dma_unmap() in the case of an I/O submission error, which frees the bounce buffer memory.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: regulator: da9211: Use irq handler when ready If the system does not come from reset (like when it is kexec()), the regulator might have an IRQ waiting for us. If we enable the IRQ handler before its structures are ready, we crash. This patch fixes: [ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078 [ 1.316096] Call trace: [ 1.316101] blocking_notifier_call_chain+0x20/0xa8 [ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests [ 1.327823] regulator_notifier_call_chain+0x1c/0x2c [ 1.327825] da9211_irq_handler+0x68/0xf8 [ 1.327829] irq_thread+0x11c/0x234 [ 1.327833] kthread+0x13c/0x154	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: sched/core: Fix use-after-free bug in dup_user_cpus_ptr() Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems"), the setting and clearing of user_cpus_ptr are done under pi_lock for arm64 architecture. However, dup_user_cpus_ptr() accesses user_cpus_ptr without any lock protection. Since sched_setaffinity() can be invoked from another process, the process being modified may be undergoing fork() at the same time. When racing with the clearing of user_cpus_ptr in __set_cpus_allowed_ptr_locked(), it can lead to user-after-free and possibly double-free in arm64 kernel. Commit 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask") fixes this problem as user_cpus_ptr, once set, will never be cleared in a task's lifetime. However, this bug was re-introduced in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in do_set_cpus_allowed(). This time, it will affect all arches. Fix this bug by always clearing the user_cpus_ptr of the newly cloned/forked task before the copying process starts and check the user_cpus_ptr state of the source task under pi_lock. Note to stable, this patch won't be applicable to stable releases. Just copy the new dup_user_cpus_ptr() function over.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Cleanup partial engine discovery failures If we abort driver initialisation in the middle of gt/engine discovery, some engines will be fully setup and some not. Those incompletely setup engines only have 'engine->release == NULL' and so will leak any of the common objects allocated. v2: - Drop the destroy_pinned_context() helper for now. It's not really worth it with just a single callsite at the moment. (Janusz)	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-v3: Don't unregister on shutdown Similar to SMMUv2, this driver calls iommu_device_unregister() from the shutdown path, which removes the IOMMU groups with no coordination whatsoever with their users - shutdown methods are optional in device drivers. This can lead to NULL pointer dereferences in those drivers' DMA API calls, or worse. Instead of calling the full arm_smmu_device_remove() from arm_smmu_device_shutdown(), let's pick only the relevant function call - arm_smmu_device_disable() - more or less the reverse of arm_smmu_device_reset() - and call just that from the shutdown path.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Don't unregister on shutdown Michael Walle says he noticed the following stack trace while performing a shutdown with "reboot -f". He suggests he got "lucky" and just hit the correct spot for the reboot while there was a packet transmission in flight. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930 Hardware name: Kontron KBox A-230-LS (DT) pc : iommu_get_dma_domain+0x14/0x20 lr : iommu_dma_map_page+0x9c/0x254 Call trace: iommu_get_dma_domain+0x14/0x20 dma_map_page_attrs+0x1ec/0x250 enetc_start_xmit+0x14c/0x10b0 enetc_xmit+0x60/0xdc dev_hard_start_xmit+0xb8/0x210 sch_direct_xmit+0x11c/0x420 __dev_queue_xmit+0x354/0xb20 ip6_finish_output2+0x280/0x5b0 __ip6_finish_output+0x15c/0x270 ip6_output+0x78/0x15c NF_HOOK.constprop.0+0x50/0xd0 mld_sendpack+0x1bc/0x320 mld_ifc_work+0x1d8/0x4dc process_one_work+0x1e8/0x460 worker_thread+0x178/0x534 kthread+0xe0/0xe4 ret_from_fork+0x10/0x20 Code: d503201f f9416800 d503233f d50323bf (f9404c00) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt This appears to be reproducible when the board has a fixed IP address, is ping flooded from another host, and "reboot -f" is used. The following is one more manifestation of the issue: $ reboot -f kvm: exiting hardware virtualization cfg80211: failed to load regulatory.db arm-smmu 5000000.iommu: disabling translation sdhci-esdhc 2140000.mmc: Removing from iommu group 11 sdhci-esdhc 2150000.mmc: Removing from iommu group 12 fsl-edma 22c0000.dma-controller: Removing from iommu group 17 dwc3 3100000.usb: Removing from iommu group 9 dwc3 3110000.usb: Removing from iommu group 10 ahci-qoriq 3200000.sata: Removing from iommu group 2 fsl-qdma 8380000.dma-controller: Removing from iommu group 20 platform f080000.display: Removing from iommu group 0 etnaviv-gpu f0c0000.gpu: Removing from iommu group 1 etnaviv etnaviv: Removing from iommu group 1 caam_jr 8010000.jr: Removing from iommu group 13 caam_jr 8020000.jr: Removing from iommu group 14 caam_jr 8030000.jr: Removing from iommu group 15 caam_jr 8040000.jr: Removing from iommu group 16 fsl_enetc 0000:00:00.0: Removing from iommu group 4 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fsl_enetc 0000:00:00.1: Removing from iommu group 5 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fsl_enetc 0000:00:00.2: Removing from iommu group 6 fsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8 mscc_felix 0000:00:00.5: Removing from iommu group 3 fsl_enetc 0000:00:00.6: Removing from iommu group 7 pcieport 0001:00:00.0: Removing from iommu group 18 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 pcieport 0002:00:00.0: Removing from iommu group 19 Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8 pc : iommu_get_dma_domain+0x14/0x20 lr : iommu_dma_unmap_page+0x38/0xe0 Call trace: iommu_get_dma_domain+0x14/0x20 dma_unmap_page_attrs+0x38/0x1d0 en ---truncated---	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix pci device refcount leak As the comment of pci_get_domain_bus_and_slot() says, it returns a PCI device with refcount incremented, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). In ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(), pci_dev_put() is called to avoid leak.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: arm64/mm: fix incorrect file_map_count for invalid pmd The page table check trigger BUG_ON() unexpectedly when split hugepage: ------------[ cut here ]------------ kernel BUG at mm/page_table_check.c:119! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 7 PID: 210 Comm: transhuge-stres Not tainted 6.1.0-rc3+ #748 Hardware name: linux,dummy-virt (DT) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : page_table_check_set.isra.0+0x398/0x468 lr : page_table_check_set.isra.0+0x1c0/0x468 [...] Call trace: page_table_check_set.isra.0+0x398/0x468 __page_table_check_pte_set+0x160/0x1c0 __split_huge_pmd_locked+0x900/0x1648 __split_huge_pmd+0x28c/0x3b8 unmap_page_range+0x428/0x858 unmap_single_vma+0xf4/0x1c8 zap_page_range+0x2b0/0x410 madvise_vma_behavior+0xc44/0xe78 do_madvise+0x280/0x698 __arm64_sys_madvise+0x90/0xe8 invoke_syscall.constprop.0+0xdc/0x1d8 do_el0_svc+0xf4/0x3f8 el0_svc+0x58/0x120 el0t_64_sync_handler+0xb8/0xc0 el0t_64_sync+0x19c/0x1a0 [...] On arm64, pmd_leaf() will return true even if the pmd is invalid due to pmd_present_invalid() check. So in pmdp_invalidate() the file_map_count will not only decrease once but also increase once. Then in set_pte_at(), the file_map_count increase again, and so trigger BUG_ON() unexpectedly. Add !pmd_present_invalid() check in pmd_user_accessible_page() to fix the problem.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer There are 3 possible interrupt sources are handled by DP controller, HPDstatus, Controller state changes and Aux read/write transaction. At every irq, DP controller have to check isr status of every interrupt sources and service the interrupt if its isr status bits shows interrupts are pending. There is potential race condition may happen at current aux isr handler implementation since it is always complete dp_aux_cmd_fifo_tx() even irq is not for aux read or write transaction. This may cause aux read transaction return premature if host aux data read is in the middle of waiting for sink to complete transferring data to host while irq happen. This will cause host's receiving buffer contains unexpected data. This patch fixes this problem by checking aux isr and return immediately at aux isr handler if there are no any isr status bits set. Current there is a bug report regrading eDP edid corruption happen during system booting up. After lengthy debugging to found that VIDEO_READY interrupt was continuously firing during system booting up which cause dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data from aux hardware buffer which is not yet contains complete data transfer from sink. This cause edid corruption. Follows are the signature at kernel logs when problem happen, EDID has corrupt header panel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID Changes in v2: -- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr() -- add more commit text Changes in v3: -- add Stephen suggested -- dp_aux_isr() return IRQ_XXX back to caller -- dp_ctrl_isr() return IRQ_XXX back to caller Changes in v4: -- split into two patches Changes in v5: -- delete empty line between tags Changes in v6: -- remove extra "that" and fixed line more than 75 char at commit text Patchwork: https://patchwork.freedesktop.org/patch/516121/	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Fix GEM handle creation UAF Userspace can guess the handle value and try to race GEM object creation with handle close, resulting in a use-after-free if we dereference the object after dropping the handle's reference. For that reason, dropping the handle's reference must be done after we are done dereferencing the object.	2024-08-21	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: btrfs: do not start relocation until in progress drops are done We hit a bug with a recovering relocation on mount for one of our file systems in production. I reproduced this locally by injecting errors into snapshot delete with balance running at the same time. This presented as an error while looking up an extent item WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680 CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8 RIP: 0010:lookup_inline_extent_backref+0x647/0x680 RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000 RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001 R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000 R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000 FS: 0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0 Call Trace: <TASK> insert_inline_extent_backref+0x46/0xd0 __btrfs_inc_extent_ref.isra.0+0x5f/0x200 ? btrfs_merge_delayed_refs+0x164/0x190 __btrfs_run_delayed_refs+0x561/0xfa0 ? btrfs_search_slot+0x7b4/0xb30 ? btrfs_update_root+0x1a9/0x2c0 btrfs_run_delayed_refs+0x73/0x1f0 ? btrfs_update_root+0x1a9/0x2c0 btrfs_commit_transaction+0x50/0xa50 ? btrfs_update_reloc_root+0x122/0x220 prepare_to_merge+0x29f/0x320 relocate_block_group+0x2b8/0x550 btrfs_relocate_block_group+0x1a6/0x350 btrfs_relocate_chunk+0x27/0xe0 btrfs_balance+0x777/0xe60 balance_kthread+0x35/0x50 ? btrfs_balance+0xe60/0xe60 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK> Normally snapshot deletion and relocation are excluded from running at the same time by the fs_info->cleaner_mutex. However if we had a pending balance waiting to get the ->cleaner_mutex, and a snapshot deletion was running, and then the box crashed, we would come up in a state where we have a half deleted snapshot. Again, in the normal case the snapshot deletion needs to complete before relocation can start, but in this case relocation could very well start before the snapshot deletion completes, as we simply add the root to the dead roots list and wait for the next time the cleaner runs to clean up the snapshot. Fix this by setting a bit on the fs_info if we have any DEAD_ROOT's that had a pending drop_progress key. If they do then we know we were in the middle of the drop operation and set a flag on the fs_info. Then balance can wait until this flag is cleared to start up again. If there are DEAD_ROOT's that don't have a drop_progress set then we're safe to start balance right away as we'll be properly protected by the cleaner_mutex.	2024-08-22	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: btrfs: do not WARN_ON() if we have PageError set Whenever we do any extent buffer operations we call assert_eb_page_uptodate() to complain loudly if we're operating on an non-uptodate page. Our overnight tests caught this warning earlier this week WARNING: CPU: 1 PID: 553508 at fs/btrfs/extent_io.c:6849 assert_eb_page_uptodate+0x3f/0x50 CPU: 1 PID: 553508 Comm: kworker/u4:13 Tainted: G W 5.17.0-rc3+ #564 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 Workqueue: btrfs-cache btrfs_work_helper RIP: 0010:assert_eb_page_uptodate+0x3f/0x50 RSP: 0018:ffffa961440a7c68 EFLAGS: 00010246 RAX: 0017ffffc0002112 RBX: ffffe6e74453f9c0 RCX: 0000000000001000 RDX: ffffe6e74467c887 RSI: ffffe6e74453f9c0 RDI: ffff8d4c5efc2fc0 RBP: 0000000000000d56 R08: ffff8d4d4a224000 R09: 0000000000000000 R10: 00015817fa9d1ef0 R11: 000000000000000c R12: 00000000000007b1 R13: ffff8d4c5efc2fc0 R14: 0000000001500000 R15: 0000000001cb1000 FS: 0000000000000000(0000) GS:ffff8d4dbbd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff31d3448d8 CR3: 0000000118be8004 CR4: 0000000000370ee0 Call Trace: extent_buffer_test_bit+0x3f/0x70 free_space_test_bit+0xa6/0xc0 load_free_space_tree+0x1f6/0x470 caching_thread+0x454/0x630 ? rcu_read_lock_sched_held+0x12/0x60 ? rcu_read_lock_sched_held+0x12/0x60 ? rcu_read_lock_sched_held+0x12/0x60 ? lock_release+0x1f0/0x2d0 btrfs_work_helper+0xf2/0x3e0 ? lock_release+0x1f0/0x2d0 ? finish_task_switch.isra.0+0xf9/0x3a0 process_one_work+0x26d/0x580 ? process_one_work+0x580/0x580 worker_thread+0x55/0x3b0 ? process_one_work+0x580/0x580 kthread+0xf0/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 This was partially fixed by c2e39305299f01 ("btrfs: clear extent buffer uptodate when we fail to write it"), however all that fix did was keep us from finding extent buffers after a failed writeout. It didn't keep us from continuing to use a buffer that we already had found. In this case we're searching the commit root to cache the block group, so we can start committing the transaction and switch the commit root and then start writing. After the switch we can look up an extent buffer that hasn't been written yet and start processing that block group. Then we fail to write that block out and clear Uptodate on the page, and then we start spewing these errors. Normally we're protected by the tree lock to a certain degree here. If we read a block we have that block read locked, and we block the writer from locking the block before we submit it for the write. However this isn't necessarily fool proof because the read could happen before we do the submit_bio and after we locked and unlocked the extent buffer. Also in this particular case we have path->skip_locking set, so that won't save us here. We'll simply get a block that was valid when we read it, but became invalid while we were using it. What we really want is to catch the case where we've "read" a block but it's not marked Uptodate. On read we ClearPageError(), so if we're !Uptodate and !Error we know we didn't do the right thing for reading the page. Fix this by checking !Uptodate && !Error, this way we will not complain if our buffer gets invalidated while we're using it, and we'll maintain the spirit of the check which is to make sure we have a fully in-cache block while we're messing with it.	2024-08-22	not yet calculated
Linux--Linux	In the Linux kernel, the following vulnerability has been resolved: btrfs: fix relocation crash due to premature return from btrfs_commit_transaction() We are seeing crashes similar to the following trace: [38.969182] WARNING: CPU: 20 PID: 2105 at fs/btrfs/relocation.c:4070 btrfs_relocate_block_group+0x2dc/0x340 [btrfs] [38.973556] CPU: 20 PID: 2105 Comm: btrfs Not tainted 5.17.0-rc4 #54 [38.974580] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [38.976539] RIP: 0010:btrfs_relocate_block_group+0x2dc/0x340 [btrfs] [38.980336] RSP: 0000:ffffb0dd42e03c20 EFLAGS: 00010206 [38.981218] RAX: ffff96cfc4ede800 RBX: ffff96cfc3ce0000 RCX: 000000000002ca14 [38.982560] RDX: 0000000000000000 RSI: 4cfd109a0bcb5d7f RDI: ffff96cfc3ce0360 [38.983619] RBP: ffff96cfc309c000 R08: 0000000000000000 R09: 0000000000000000 [38.984678] R10: ffff96cec0000001 R11: ffffe84c80000000 R12: ffff96cfc4ede800 [38.985735] R13: 0000000000000000 R14: 0000000000000000 R15: ffff96cfc3ce0360 [38.987146] FS: 00007f11c15218c0(0000) GS:ffff96d6dfb00000(0000) knlGS:0000000000000000 [38.988662] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [38.989398] CR2: 00007ffc922c8e60 CR3: 00000001147a6001 CR4: 0000000000370ee0 [38.990279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [38.991219] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [38.992528] Call Trace: [38.992854] <TASK> [38.993148] btrfs_relocate_chunk+0x27/0xe0 [btrfs] [38.993941] btrfs_balance+0x78e/0xea0 [btrfs] [38.994801] ? vsnprintf+0x33c/0x520 [38.995368] ? __kmalloc_track_caller+0x351/0x440 [38.996198] btrfs_ioctl_balance+0x2b9/0x3a0 [btrfs] [38.997084] btrfs_ioctl+0x11b0/0x2da0 [btrfs] [38.997867] ? mod_objcg_state+0xee/0x340 [38.998552] ? seq_release+0x24/0x30 [38.999184] ? proc_nr_files+0x30/0x30 [38.999654] ? call_rcu+0xc8/0x2f0 [39.000228] ? __x64_sys_ioctl+0x84/0xc0 [39.000872] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs] [39.001973] __x64_sys_ioctl+0x84/0xc0 [39.002566] do_syscall_64+0x3a/0x80 [39.003011] entry_SYSCALL_64_after_hwframe+0x44/0xae [39.003735] RIP: 0033:0x7f11c166959b [39.007324] RSP: 002b:00007fff2543e998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [39.008521] RAX: ffffffffffffffda RBX: 00007f11c1521698 RCX: 00007f11c166959b [39.009833] RDX: 00007fff2543ea40 RSI: 00000000c4009420 RDI: 0000000000000003 [39.011270] RBP: 0000000000000003 R08: 0000000000000013 R09: 00007f11c16f94e0 [39.012581] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff25440df3 [39.014046] R13: 0000000000000000 R14: 00007fff2543ea40 R15: 0000000000000001 [39.015040] </TASK> [39.015418] ---[ end trace 0000000000000000 ]--- [43.131559] ------------[ cut here ]------------ [43.132234] kernel BUG at fs/btrfs/extent-tree.c:2717! [43.133031] invalid opcode: 0000 [#1] PREEMPT SMP PTI [43.133702] CPU: 1 PID: 1839 Comm: btrfs Tainted: G W 5.17.0-rc4 #54 [43.134863] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [43.136426] RIP: 0010:unpin_extent_range+0x37a/0x4f0 [btrfs] [43.139913] RSP: 0000:ffffb0dd4216bc70 EFLAGS: 00010246 [43.140629] RAX: 0000000000000000 RBX: ffff96cfc34490f8 RCX: 0000000000000001 [43.141604] RDX: 0000000080000001 RSI: 0000000051d00000 RDI: 00000000ffffffff [43.142645] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff96cfd07dca50 [43.143669] R10: ffff96cfc46e8a00 R11: fffffffffffec000 R12: 0000000041d00000 [43.144657] R13: ffff96cfc3ce0000 R14: ffffb0dd4216bd08 R15: 0000000000000000 [43.145686] FS: 00007f7657dd68c0(0000) GS:ffff96d6df640000(0000) knlGS:0000000000000000 [43.146808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43.147584] CR2: 00007f7fe81bf5b0 CR3: 00000001093ee004 CR4: 0000000000370ee0 [43.148589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [43.149581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000 ---truncated---	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix I/O page table memory leak The current logic updates the I/O page table mode for the domain before calling the logic to free memory used for the page table. This results in IOMMU page table memory leak, and can be observed when launching VM w/ pass-through devices. Fix by freeing the memory used for page table before updating the mode.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: ibmvnic: free reset-work-item when flushing Fix a tiny memory leak when flushing the reset work queue.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: mptcp: Correctly set DATA_FIN timeout when number of retransmits is large Syzkaller with UBSAN uncovered a scenario where a large number of DATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN timeout calculation: ================================================================================ UBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: events mptcp_worker Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330 mptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline] __mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445 mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528 process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307 worker_thread+0x95/0xe10 kernel/workqueue.c:2454 kthread+0x2f4/0x3b0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> ================================================================================ This change limits the maximum timeout by limiting the size of the shift, which keeps all intermediate values in-bounds.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: auxdisplay: lcd2s: Fix memory leak in ->remove() Once allocated the struct lcd2s_data is never freed. Fix the memory leak by switching to devm_kzalloc().	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe() During driver initialization, the pointer of card info, i.e. the variable 'ci' is required. However, the definition of 'com20020pci_id_table' reveals that this field is empty for some devices, which will cause null pointer dereference when initializing these devices. The following log reveals it: [ 3.973806] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 3.973819] RIP: 0010:com20020pci_probe+0x18d/0x13e0 [com20020_pci] [ 3.975181] Call Trace: [ 3.976208] local_pci_probe+0x13f/0x210 [ 3.977248] pci_device_probe+0x34c/0x6d0 [ 3.977255] ? pci_uevent+0x470/0x470 [ 3.978265] really_probe+0x24c/0x8d0 [ 3.978273] __driver_probe_device+0x1b3/0x280 [ 3.979288] driver_probe_device+0x50/0x370 Fix this by checking whether the 'ci' is a null pointer first.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: net/smc: fix connection leak There's a potential leak issue under following execution sequence : smc_release smc_connect_work if (sk->sk_state == SMC_INIT) send_clc_confirim tcp_abort(); ... sk.sk_state = SMC_ACTIVE smc_close_active switch(sk->sk_state) { ... case SMC_ACTIVE: smc_close_final() // then wait peer closed Unfortunately, tcp_abort() may discard CLC CONFIRM messages that are still in the tcp send buffer, in which case our connection token cannot be delivered to the server side, which means that we cannot get a passive close message at all. Therefore, it is impossible for the to be disconnected at all. This patch tries a very simple way to avoid this issue, once the state has changed to SMC_ACTIVE after tcp_abort(), we can actively abort the smc connection, considering that the state is SMC_INIT before tcp_abort(), abandoning the complete disconnection process should not cause too much problem. In fact, this problem may exist as long as the CLC CONFIRM message is not received by the server. Whether a timer should be added after smc_close_final() needs to be discussed in the future. But even so, this patch provides a faster release for connection in above case, it should also be valuable.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ensure we call ipv6_mc_down() at most once There are two reasons for addrconf_notify() to be called with NETDEV_DOWN: either the network device is actually going down, or IPv6 was disabled on the interface. If either of them stays down while the other is toggled, we repeatedly call the code for NETDEV_DOWN, including ipv6_mc_down(), while never calling the corresponding ipv6_mc_up() in between. This will cause a new entry in idev->mc_tomb to be allocated for each multicast group the interface is subscribed to, which in turn leaks one struct ifmcaddr6 per nontrivial multicast group the interface is subscribed to. The following reproducer will leak at least $n objects: ip addr add ff2e::4242/32 dev eth0 autojoin sysctl -w net.ipv6.conf.eth0.disable_ipv6=1 for i in $(seq 1 $n); do ip link set up eth0; ip link set down eth0 done Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the sysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2) can also be used to create a nontrivial idev->mc_list, which will the leak objects with the right up-down-sequence. Based on both sources for NETDEV_DOWN events the interface IPv6 state should be considered: - not ready if the network interface is not ready OR IPv6 is disabled for it - ready if the network interface is ready AND IPv6 is enabled for it The functions ipv6_mc_up() and ipv6_down() should only be run when this state changes. Implement this by remembering when the IPv6 state is ready, and only run ipv6_mc_down() if it actually changed from ready to not ready. The other direction (not ready -> ready) already works correctly, as: - the interface notification triggered codepath for NETDEV_UP / NETDEV_CHANGE returns early if ipv6 is disabled, and - the disable_ipv6=0 triggered codepath skips fully initializing the interface as long as addrconf_link_ready(dev) returns false - calling ipv6_mc_up() repeatedly does not leak anything	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: fix possible use-after-free Eric Dumazet says: The sock_hold() side seems suspect, because there is no guarantee that sk_refcnt is not already 0. On failure, we cannot queue the packet and need to indicate an error. The packet will be dropped by the caller. v2: split skb prefetch hunk into separate change	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: netfilter: fix use-after-free in __nf_register_net_hook() We must not dereference @new_hooks after nf_hook_mutex has been released, because other threads might have freed our allocated hooks already. BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline] BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430 CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] hooks_validate net/netfilter/core.c:171 [inline] __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218 synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038 check_target net/ipv6/netfilter/ip6_tables.c:530 [inline] find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573 translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline] do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024 rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084 __sys_setsockopt+0x2db/0x610 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f65a1ace7d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130 R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000 </TASK> The buggy address belongs to the page: page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8 flags: 0xfff00000000000(node=0\|zone=1\|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL\|__GFP_NOWARN\|__GFP_NORETRY\|__GFP_COMP\|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 __alloc_pages_node include/linux/gfp.h:572 [inline] alloc_pages_node include/linux/gfp.h:595 [inline] kmalloc_large_node+0x62/0x130 mm/slub.c:4438 __kmalloc_node+0x35a/0x4a0 mm/slub. ---truncated---	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blk_trace When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg': ================================================================== BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100 Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188 CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xab/0x381 ? blk_dropped_read+0x89/0x100 ? blk_dropped_read+0x89/0x100 kasan_report.cold+0x83/0xdf ? blk_dropped_read+0x89/0x100 kasan_check_range+0x140/0x1b0 blk_dropped_read+0x89/0x100 ? blk_create_buf_file_callback+0x20/0x20 ? kmem_cache_free+0xa1/0x500 ? do_sys_openat2+0x258/0x460 full_proxy_read+0x8f/0xc0 vfs_read+0xc6/0x260 ksys_read+0xb9/0x150 ? vfs_write+0x3d0/0x3d0 ? fpregs_assert_state_consistent+0x55/0x60 ? exit_to_user_mode_prepare+0x39/0x1e0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8 </TASK> Allocated by task 1050: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 do_blk_trace_setup+0xcb/0x410 __blk_trace_setup+0xac/0x130 blk_trace_ioctl+0xe9/0x1c0 blkdev_ioctl+0xf1/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 1050: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x103/0x180 kfree+0x9a/0x4c0 __blk_trace_remove+0x53/0x70 blk_trace_ioctl+0x199/0x1c0 blkdev_common_ioctl+0x5e9/0xb30 blkdev_ioctl+0x1a5/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88816912f380 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff88816912f380, ffff88816912f3e0) The buggy address belongs to the page: page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f flags: 0x17ffffc0000200(slab\|node=0\|zone=2\|lastcpupid=0x1fffff) raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: xen/netfront: destroy queues before real_num_tx_queues is zeroed xennet_destroy_queues() relies on info->netdev->real_num_tx_queues to delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ("net-sysfs: update the queue counts in the unregistration path"), unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two facts together means, that xennet_destroy_queues() called from xennet_remove() cannot do its job, because it's called after unregister_netdev(). This results in kfree-ing queues that are still linked in napi, which ultimately crashes: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226 RIP: 0010:free_netdev+0xa3/0x1a0 Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00 RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050 R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680 FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0 Call Trace: <TASK> xennet_remove+0x13d/0x300 [xen_netfront] xenbus_dev_remove+0x6d/0xf0 __device_release_driver+0x17a/0x240 device_release_driver+0x24/0x30 bus_remove_device+0xd8/0x140 device_del+0x18b/0x410 ? _raw_spin_unlock+0x16/0x30 ? klist_iter_exit+0x14/0x20 ? xenbus_dev_request_and_reply+0x80/0x80 device_unregister+0x13/0x60 xenbus_dev_changed+0x18e/0x1f0 xenwatch_thread+0xc0/0x1a0 ? do_wait_intr_irq+0xa0/0xa0 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK> Fix this by calling xennet_destroy_queues() from xennet_uninit(), when real_num_tx_queues is still available. This ensures that queues are destroyed when real_num_tx_queues is set to 0, regardless of how unregister_netdev() was called. Originally reported at https://github.com/QubesOS/qubes-issues/issues/7257	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix TZ_GET_TRIP NULL pointer dereference Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if the thermal zone does not define one.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix double list_add when enabling VMD in scalable mode When enabling VMD and IOMMU scalable mode, the following kernel panic call trace/kernel log is shown in Eagle Stream platform (Sapphire Rapids CPU) during booting: pci 0000:59:00.5: Adding to iommu group 42 ... vmd 0000:59:00.5: PCI host bridge to bus 10000:80 pci 10000:80:01.0: [8086:352a] type 01 class 0x060400 pci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit] pci 10000:80:01.0: enabling Extended Tags pci 10000:80:01.0: PME# supported from D0 D3hot D3cold pci 10000:80:01.0: DMAR: Setup RID2PASID failed pci 10000:80:01.0: Failed to add to iommu group 42: -16 pci 10000:80:03.0: [8086:352b] type 01 class 0x060400 pci 10000:80:03.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit] pci 10000:80:03.0: enabling Extended Tags pci 10000:80:03.0: PME# supported from D0 D3hot D3cold ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:29! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3+ #7 Hardware name: Lenovo ThinkSystem SR650V3/SB27A86647, BIOS ESE101Y-1.00 01/13/2022 Workqueue: events work_for_cpu_fn RIP: 0010:__list_add_valid.cold+0x26/0x3f Code: 9a 4a ab ff 4c 89 c1 48 c7 c7 40 0c d9 9e e8 b9 b1 fe ff 0f 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 f0 0c d9 9e e8 a2 b1 fe ff <0f> 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 98 0c d9 9e e8 8b b1 fe RSP: 0000:ff5ad434865b3a40 EFLAGS: 00010246 RAX: 0000000000000058 RBX: ff4d61160b74b880 RCX: ff4d61255e1fffa8 RDX: 0000000000000000 RSI: 00000000fffeffff RDI: ffffffff9fd34f20 RBP: ff4d611d8e245c00 R08: 0000000000000000 R09: ff5ad434865b3888 R10: ff5ad434865b3880 R11: ff4d61257fdc6fe8 R12: ff4d61160b74b8a0 R13: ff4d61160b74b8a0 R14: ff4d611d8e245c10 R15: ff4d611d8001ba70 FS: 0000000000000000(0000) GS:ff4d611d5ea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ff4d611fa1401000 CR3: 0000000aa0210001 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> intel_pasid_alloc_table+0x9c/0x1d0 dmar_insert_one_dev_info+0x423/0x540 ? device_to_iommu+0x12d/0x2f0 intel_iommu_attach_device+0x116/0x290 __iommu_attach_device+0x1a/0x90 iommu_group_add_device+0x190/0x2c0 __iommu_probe_device+0x13e/0x250 iommu_probe_device+0x24/0x150 iommu_bus_notifier+0x69/0x90 blocking_notifier_call_chain+0x5a/0x80 device_add+0x3db/0x7b0 ? arch_memremap_can_ram_remap+0x19/0x50 ? memremap+0x75/0x140 pci_device_add+0x193/0x1d0 pci_scan_single_device+0xb9/0xf0 pci_scan_slot+0x4c/0x110 pci_scan_child_bus_extend+0x3a/0x290 vmd_enable_domain.constprop.0+0x63e/0x820 vmd_probe+0x163/0x190 local_pci_probe+0x42/0x80 work_for_cpu_fn+0x13/0x20 process_one_work+0x1e2/0x3b0 worker_thread+0x1c4/0x3a0 ? rescuer_thread+0x370/0x370 kthread+0xc7/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- ... Kernel panic - not syncing: Fatal exception Kernel Offset: 0x1ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- The following 'lspci' output shows devices '10000:80:*' are subdevices of the VMD device 0000:59:00.5: $ lspci ... 0000:59:00.5 RAID bus controller: Intel Corporation Volume Management Device NVMe RAID Controller (rev 20) ... 10000:80:01.0 PCI bridge: Intel Corporation Device 352a (rev 03) 10000:80:03.0 PCI bridge: Intel Corporation Device 352b (rev 03) 10000:80:05.0 PCI bridge: Intel Corporation Device 352c (rev 03) 10000:80:07.0 PCI bridge: Intel Corporation Device 352d (rev 03) 10000:81:00.0 Non-Volatile memory controller: Intel Corporation NVMe Datacenter SSD [3DNAND, Beta Rock Controller] 10000:82:00 ---truncated---	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min While the $val/$val2 values passed in from userspace are always >= 0 integers, the limits of the control can be signed integers and the $min can be non-zero and less than zero. To correctly validate $val/$val2 against platform_max, add the $min offset to val first.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: iwlwifi: mvm: check debugfs_dir ptr before use When "debugfs=off" is used on the kernel command line, iwiwifi's mvm module uses an invalid/unchecked debugfs_dir pointer and causes a BUG: BUG: kernel NULL pointer dereference, address: 000000000000004f #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 503 Comm: modprobe Tainted: G W 5.17.0-rc5 #7 Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021 RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm] Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73 RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246 RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328 RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620 R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000 R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320 FS: 00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm] iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm] iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm] _iwl_op_mode_start+0x6f/0xd0 [iwlwifi] iwl_opmode_register+0x6a/0xe0 [iwlwifi] ? 0xffffffffa0231000 iwl_mvm_init+0x35/0x1000 [iwlmvm] ? 0xffffffffa0231000 do_one_initcall+0x5a/0x1b0 ? kmem_cache_alloc+0x1e5/0x2f0 ? do_init_module+0x1e/0x220 do_init_module+0x48/0x220 load_module+0x2602/0x2bc0 ? __kernel_read+0x145/0x2e0 ? kernel_read_file+0x229/0x290 __do_sys_finit_module+0xc5/0x130 ? __do_sys_finit_module+0xc5/0x130 __x64_sys_finit_module+0x13/0x20 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f64dda564dd Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001 RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002 R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2 R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018 </TASK> Modules linked in: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev CR2: 000000000000004f ---[ end trace 0000000000000000 ]--- Check the debugfs_dir pointer for an error before using it. [change to make both conditional]	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: cifs: fix double free race when mount fails in cifs_get_root() When cifs_get_root() fails during cifs_smb3_do_mount() we call deactivate_locked_super() which eventually will call delayed_free() which will free the context. In this situation we should not proceed to enter the out: section in cifs_smb3_do_mount() and free the same resources a second time. [Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0 [Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 [Thu Feb 10 12:59:06 2022] Call Trace: [Thu Feb 10 12:59:06 2022] <IRQ> [Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78 [Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150 [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117 [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0 [Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0 [Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0 [Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20 [Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140 [Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10 [Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b [Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150 [Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30 [Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0 ... [Thu Feb 10 12:59:07 2022] Freed by task 58179: [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30 [Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40 [Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170 [Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20 [Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0 [Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520 [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae [Thu Feb 10 12:59:07 2022] Last potentially related work creation: [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0 [Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10 [Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0 [Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0 [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: btrfs: get rid of warning on transaction commit when using flushoncommit When using the flushoncommit mount option, during almost every transaction commit we trigger a warning from __writeback_inodes_sb_nr(): $ cat fs/fs-writeback.c: (...) static void __writeback_inodes_sb_nr(struct super_block *sb, ... { (...) WARN_ON(!rwsem_is_locked(&sb->s_umount)); (...) } (...) The trace produced in dmesg looks like the following: [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3 [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186 [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3 [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...) [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246 [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000 [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50 [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000 [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488 [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460 [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000 [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0 [947.571072] Call Trace: [947.572354] <TASK> [947.573266] btrfs_commit_transaction+0x1f1/0x998 [947.576785] ? start_transaction+0x3ab/0x44e [947.579867] ? schedule_timeout+0x8a/0xdd [947.582716] transaction_kthread+0xe9/0x156 [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407 [947.590104] kthread+0x131/0x139 [947.592168] ? set_kthread_struct+0x32/0x32 [947.595174] ret_from_fork+0x22/0x30 [947.597561] </TASK> [947.598553] ---[ end trace 644721052755541c ]--- This is because we started using writeback_inodes_sb() to flush delalloc when committing a transaction (when using -o flushoncommit), in order to avoid deadlocks with filesystem freeze operations. This change was made by commit ce8ea7cc6eb313 ("btrfs: don't call btrfs_start_delalloc_roots in flushoncommit"). After that change we started producing that warning, and every now and then a user reports this since the warning happens too often, it spams dmesg/syslog, and a user is unsure if this reflects any problem that might compromise the filesystem's reliability. We can not just lock the sb->s_umount semaphore before calling writeback_inodes_sb(), because that would at least deadlock with filesystem freezing, since at fs/super.c:freeze_super() sync_filesystem() is called while we are holding that semaphore in write mode, and that can trigger a transaction commit, resulting in a deadlock. It would also trigger the same type of deadlock in the unmount path. Possibly, it could also introduce some other locking dependencies that lockdep would report. To fix this call try_to_writeback_inodes_sb() instead of writeback_inodes_sb(), because that will try to read lock sb->s_umount and then will only call writeback_inodes_sb() if it was able to lock it. This is fine because the cases where it can't read lock sb->s_umount are during a filesystem unmount or during a filesystem freeze - in those cases sb->s_umount is write locked and sync_filesystem() is called, which calls writeback_inodes_sb(). In other words, in all cases where we can't take a read lock on sb->s_umount, writeback is already being triggered elsewhere. An alternative would be to call btrfs_start_delalloc_roots() with a number of pages different from LONG_MAX, for example matching the number of delalloc bytes we currently have, in ---truncated---	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix fault in reweight_entity Syzbot found a GPF in reweight_entity. This has been bisected to commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid sched_task_group") There is a race between sched_post_fork() and setpriority(PRIO_PGRP) within a thread group that causes a null-ptr-deref in reweight_entity() in CFS. The scenario is that the main process spawns number of new threads, which then call setpriority(PRIO_PGRP, 0, -20), wait, and exit. For each of the new threads the copy_process() gets invoked, which adds the new task_struct and calls sched_post_fork() for it. In the above scenario there is a possibility that setpriority(PRIO_PGRP) and set_one_prio() will be called for a thread in the group that is just being created by copy_process(), and for which the sched_post_fork() has not been executed yet. This will trigger a null pointer dereference in reweight_entity(), as it will try to access the run queue pointer, which hasn't been set. Before the mentioned change the cfs_rq pointer for the task has been set in sched_fork(), which is called much earlier in copy_process(), before the new task is added to the thread_group. Now it is done in the sched_post_fork(), which is called after that. To fix the issue the remove the update_load param from the update_load param() function and call reweight_task() only if the task flag doesn't have the TASK_NEW flag set.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: riscv: fix oops caused by irqsoff latency tracer The trace_hardirqs_{on,off}() require the caller to setup frame pointer properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtin_return_address(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault. 0xffffffff8011510e <+80>: ld a1,-16(s0) 0xffffffff80115112 <+84>: ld s2,-8(a1) # <-- paging fault here The oops message during booting if compiled with 'irqoff' tracer enabled: [ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 [ 0.041925][ T0] Oops [#1] [ 0.042063][ T0] Modules linked in: [ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 [ 0.044601][ T0] ra : restore_all+0x12/0x6e [ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0 [ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020 [ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000 [ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000 [ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368 [ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d [ 0.046402][ T0] [<ffffffff80003b94>] restore_all+0x12/0x6e This because the $fp(aka. $s0) register is not used as frame pointer in the assembly entry code. resume_kernel: REG_L s0, TASK_TI_PREEMPT_COUNT(tp) bnez s0, restore_all REG_L s0, TASK_TI_FLAGS(tp) andi s0, s0, _TIF_NEED_RESCHED beqz s0, restore_all call preempt_schedule_irq j restore_all To fix above issue, here we add one extra level wrapper for function trace_hardirqs_{on,off}() so they can be safely called by low level entry code.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: btrfs: prevent copying too big compressed lzo segment Compressed length can be corrupted to be a lot larger than memory we have allocated for buffer. This will cause memcpy in copy_compressed_segment to write outside of allocated memory. This mostly results in stuck read syscall but sometimes when using btrfs send can get #GP kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12 kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs] kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs Code starting with the faulting instruction =========================================== 0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction 3: 48 8d 79 08 lea 0x8(%rcx),%rdi 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi b: 48 89 01 mov %rax,(%rcx) e: 44 89 f0 mov %r14d,%eax 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212 kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8 kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000 kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000 kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000 kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0 kernel: Call Trace: kernel: <TASK> kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312) kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455) kernel: ? process_one_work (kernel/workqueue.c:2397) kernel: kthread (kernel/kthread.c:377) kernel: ? kthread_complete_and_exit (kernel/kthread.c:332) kernel: ret_from_fork (arch/x86/entry/entry_64.S:301) kernel: </TASK>	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: thermal: int340x: fix memory leak in int3400_notify() It is easy to hit the below memory leaks in my TigerLake platform: unreferenced object 0xffff927c8b91dbc0 (size 32): comm "kworker/0:2", pid 112, jiffies 4294893323 (age 83.604s) hex dump (first 32 bytes): 4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65 NAME=INT3400 The 72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 rmal.kkkkkkkkkk. backtrace: [<ffffffff9c502c3e>] __kmalloc_track_caller+0x2fe/0x4a0 [<ffffffff9c7b7c15>] kvasprintf+0x65/0xd0 [<ffffffff9c7b7d6e>] kasprintf+0x4e/0x70 [<ffffffffc04cb662>] int3400_notify+0x82/0x120 [int3400_thermal] [<ffffffff9c8b7358>] acpi_ev_notify_dispatch+0x54/0x71 [<ffffffff9c88f1a7>] acpi_os_execute_deferred+0x17/0x30 [<ffffffff9c2c2c0a>] process_one_work+0x21a/0x3f0 [<ffffffff9c2c2e2a>] worker_thread+0x4a/0x3b0 [<ffffffff9c2cb4dd>] kthread+0xfd/0x130 [<ffffffff9c201c1f>] ret_from_fork+0x1f/0x30 Fix it by calling kfree() accordingly.	2024-08-22	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: gsmi: fix null-deref in gsmi_get_variable We can get EFI variables without fetching the attribute, so we must allow for that in gsmi. commit 859748255b43 ("efi: pstore: Omit efivars caching EFI varstore access layer") added a new get_variable call with attr=NULL, which triggers panic in gsmi.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() In Google internal bug 265639009 we've received an (as yet) unreproducible crash report from an aarch64 GKI 5.10.149-android13 running device. AFAICT the source code is at: https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10 The call stack is: ncm_close() -> ncm_notify() -> ncm_do_notify() with the crash at: ncm_do_notify+0x98/0x270 Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b) Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...): // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification) 0B 0D 00 79 strh w11, [x8, #6] // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request) 6C 0A 00 B9 str w12, [x19, #8] // x10 (NULL) was read here from offset 0 of valid pointer x9 // IMHO we're reading 'cdev->gadget' and getting NULL // gadget is indeed at offset 0 of struct usb_composite_dev 2A 01 40 F9 ldr x10, [x9] // loading req->buf pointer, which is at offset 0 of struct usb_request 69 02 40 F9 ldr x9, [x19] // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed 4B 5D 40 B9 ldr w11, [x10, #0x5c] which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment: event->wLength = cpu_to_le16(8); req->length = NCM_STATUS_BYTECOUNT; /* SPEED_CHANGE data is up/down speeds in bits/sec / data = req->buf + sizeof event; data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); My analysis of registers and NULL ptr deref crash offset (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c) heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing: data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); which calls: ncm_bitrate(NULL) which then calls: gadget_is_superspeed(NULL) which reads ((struct usb_gadget *)NULL)->max_speed and hits a panic. AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C. (remember there's a GKI KABI reservation of 16 bytes in struct work_struct) It's not at all clear to me how this is all supposed to work... but returning 0 seems much better than panic-ing...	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: don't reissue in case of poll race on multishot request A previous commit fixed a poll race that can occur, but it's only applicable for multishot requests. For a multishot request, we can safely ignore a spurious wakeup, as we never leave the waitqueue to begin with. A blunt reissue of a multishot armed request can cause us to leak a buffer, if they are ring provided. While this seems like a bug in itself, it's not really defined behavior to reissue a multishot request directly. It's less efficient to do so as well, and not required to rearm anything like it is for singleshot poll requests.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between quota rescan and disable leading to NULL pointer deref If we have one task trying to start the quota rescan worker while another one is trying to disable quotas, we can end up hitting a race that results in the quota rescan worker doing a NULL pointer dereference. The steps for this are the following: 1) Quotas are enabled; 2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan(). It calls qgroup_rescan_init() which returns 0 (success) and then joins a transaction and commits it; 3) Task B calls the quota disable ioctl and enters btrfs_quota_disable(). It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls btrfs_qgroup_wait_for_completion(), which returns immediately since the rescan worker is not yet running. Then it starts a transaction and locks fs_info->qgroup_ioctl_lock; 4) Task A queues the rescan worker, by calling btrfs_queue_work(); 5) The rescan worker starts, and calls rescan_should_stop() at the start of its while loop, which results in 0 iterations of the loop, since the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by task B at step 3); 6) Task B sets fs_info->quota_root to NULL; 7) The rescan worker tries to start a transaction and uses fs_info->quota_root as the root argument for btrfs_start_transaction(). This results in a NULL pointer dereference down the call chain of btrfs_start_transaction(). The stack trace is something like the one reported in Link tag below: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f] CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: btrfs-qgroup-rescan btrfs_work_helper RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564 Code: 48 89 fb 48 (...) RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206 RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402 btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280 process_one_work+0x877/0xdb0 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> Modules linked in: So fix this by having the rescan worker function not attempt to start a transaction if it didn't do any rescan work.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: do not warn on record without old_roots populated [BUG] There are some reports from the mailing list that since v6.1 kernel, the WARN_ON() inside btrfs_qgroup_account_extent() gets triggered during rescan: WARNING: CPU: 3 PID: 6424 at fs/btrfs/qgroup.c:2756 btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs] CPU: 3 PID: 6424 Comm: snapperd Tainted: P OE 6.1.2-1-default #1 openSUSE Tumbleweed 05c7a1b1b61d5627475528f71f50444637b5aad7 RIP: 0010:btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs] Call Trace: <TASK> btrfs_commit_transaction+0x30c/0xb40 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6] ? start_transaction+0xc3/0x5b0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6] btrfs_qgroup_rescan+0x42/0xc0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6] btrfs_ioctl+0x1ab9/0x25c0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6] ? __rseq_handle_notify_resume+0xa9/0x4a0 ? mntput_no_expire+0x4a/0x240 ? __seccomp_filter+0x319/0x4d0 __x64_sys_ioctl+0x90/0xd0 do_syscall_64+0x5b/0x80 ? syscall_exit_to_user_mode+0x17/0x40 ? do_syscall_64+0x67/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fd9b790d9bf </TASK> [CAUSE] Since commit e15e9f43c7ca ("btrfs: introduce BTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING to skip qgroup accounting"), if our qgroup is already in inconsistent state, we will no longer do the time-consuming backref walk. This can leave some qgroup records without a valid old_roots ulist. Normally this is fine, as btrfs_qgroup_account_extents() would also skip those records if we have NO_ACCOUNTING flag set. But there is a small window, if we have NO_ACCOUNTING flag set, and inserted some qgroup_record without a old_roots ulist, but then the user triggered a qgroup rescan. During btrfs_qgroup_rescan(), we firstly clear NO_ACCOUNTING flag, then commit current transaction. And since we have a qgroup_record with old_roots = NULL, we trigger the WARN_ON() during btrfs_qgroup_account_extents(). [FIX] Unfortunately due to the introduction of NO_ACCOUNTING flag, the assumption that every qgroup_record would have its old_roots populated is no longer correct. Fix the false alerts and drop the WARN_ON().	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: xhci: Fix null pointer dereference when host dies Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race and cause null pointer dereference when host suddenly dies. Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id] virt device at the same time that xhci_kill_endpoint_urbs() tries to loop through all the device's endpoints, checking if there are any cancelled urbs left to give back. hold the xhci spinlock while freeing the virt device	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: Add exception protection processing for vd in axi_chan_handle_err function Since there is no protection for vd, a kernel panic will be triggered here in exceptional cases. You can refer to the processing of axi_chan_block_xfer_complete function The triggered kernel panic is as follows: [ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 [ 67.848447] Mem abort info: [ 67.848449] ESR = 0x96000004 [ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits [ 67.848454] SET = 0, FnV = 0 [ 67.848456] EA = 0, S1PTW = 0 [ 67.848458] Data abort info: [ 67.848460] ISV = 0, ISS = 0x00000004 [ 67.848462] CM = 0, WnR = 0 [ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000 [ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000 [ 67.848472] Internal error: Oops: 96000004 [#1] SMP [ 67.848475] Modules linked in: dmatest [ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11 [ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--) [ 67.848487] pc : axi_chan_handle_err+0xc4/0x230 [ 67.848491] lr : axi_chan_handle_err+0x30/0x230 [ 67.848493] sp : ffff0803fe55ae50 [ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200 [ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080 [ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850 [ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000 [ 67.848512] x21: 0000000000000080 x20: 0000000000002000 [ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000 [ 67.848521] x17: 0000000000000000 x16: 0000000000000000 [ 67.848525] x15: 0000000000000000 x14: 0000000000000000 [ 67.848529] x13: 0000000000000000 x12: 0000000000000040 [ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a [ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270 [ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0 [ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480 [ 67.848550] x3 : dead000000000100 x2 : dead000000000122 [ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168 [ 67.848559] Call trace: [ 67.848562] axi_chan_handle_err+0xc4/0x230 [ 67.848566] dw_axi_dma_interrupt+0xf4/0x590 [ 67.848569] __handle_irq_event_percpu+0x60/0x220 [ 67.848573] handle_irq_event+0x64/0x120 [ 67.848576] handle_fasteoi_irq+0xc4/0x220 [ 67.848580] __handle_domain_irq+0x80/0xe0 [ 67.848583] gic_handle_irq+0xc0/0x138 [ 67.848585] el1_irq+0xc8/0x180 [ 67.848588] arch_cpu_idle+0x14/0x2c [ 67.848591] default_idle_call+0x40/0x16c [ 67.848594] do_idle+0x1f0/0x250 [ 67.848597] cpu_startup_entry+0x2c/0x60 [ 67.848600] rest_init+0xc0/0xcc [ 67.848603] arch_call_rest_init+0x14/0x1c [ 67.848606] start_kernel+0x4cc/0x500 [ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1) [ 67.848613] ---[ end trace 585a97036f88203a ]---	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix general protection fault in nilfs_btree_insert() If nilfs2 reads a corrupted disk image and tries to reads a b-tree node block by calling __nilfs_btree_get_block() against an invalid virtual block address, it returns -ENOENT because conversion of the virtual block address to a disk block address fails. However, this return value is the same as the internal code that b-tree lookup routines return to indicate that the block being searched does not exist, so functions that operate on that b-tree may misbehave. When nilfs_btree_insert() receives this spurious 'not found' code from nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was successful and continues the insert operation using incomplete lookup path data, causing the following crash: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] ... RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline] RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline] RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02 ... Call Trace: <TASK> nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline] nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147 nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101 __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991 __block_write_begin fs/buffer.c:2041 [inline] block_write_begin+0x93/0x1e0 fs/buffer.c:2102 nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261 generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900 generic_file_write_iter+0xab/0x310 mm/filemap.c:3932 call_write_iter include/linux/fs.h:2186 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x7dc/0xc50 fs/read_write.c:584 ksys_write+0x177/0x2a0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd ... </TASK> This patch fixes the root cause of this problem by replacing the error code that __nilfs_btree_get_block() returns on block address conversion failure from -ENOENT to another internal code -EINVAL which means that the b-tree metadata is corrupted. By returning -EINVAL, it propagates without glitches, and for all relevant b-tree operations, functions in the upper bmap layer output an error message indicating corrupted b-tree metadata via nilfs_bmap_convert_error(), and code -EIO will be eventually returned as it should be.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Check endpoint is valid before dereferencing it When the host controller is not responding, all URBs queued to all endpoints need to be killed. This can cause a kernel panic if we dereference an invalid endpoint. Fix this by using xhci_get_virt_ep() helper to find the endpoint and checking if the endpoint is valid before dereferencing it. [233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead [233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8 [233311.853964] pc : xhci_hc_died+0x10c/0x270 [233311.853971] lr : xhci_hc_died+0x1ac/0x270 [233311.854077] Call trace: [233311.854085] xhci_hc_died+0x10c/0x270 [233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4 [233311.854105] call_timer_fn+0x50/0x2d4 [233311.854112] expire_timers+0xac/0x2e4 [233311.854118] run_timer_softirq+0x300/0xabc [233311.854127] __do_softirq+0x148/0x528 [233311.854135] irq_exit+0x194/0x1a8 [233311.854143] __handle_domain_irq+0x164/0x1d0 [233311.854149] gic_handle_irq.22273+0x10c/0x188 [233311.854156] el1_irq+0xfc/0x1a8 [233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm] [233311.854185] cpuidle_enter_state+0x1f0/0x764 [233311.854194] do_idle+0x594/0x6ac [233311.854201] cpu_startup_entry+0x7c/0x80 [233311.854209] secondary_start_kernel+0x170/0x198	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: nommu: fix memory leak in do_mmap() error path The preallocation of the maple tree nodes may leak if the error path to "error_just_free" is taken. Fix this by moving the freeing of the maple tree nodes to a shared location for all error paths.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: io_uring: lock overflowing for IOPOLL syzbot reports an issue with overflow filling for IOPOLL: WARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734 CPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0 Workqueue: events_unbound io_ring_exit_work Call trace: io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734 io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773 io_fill_cqe_req io_uring/io_uring.h:168 [inline] io_do_iopoll+0x474/0x62c io_uring/rw.c:1065 io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513 io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056 io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863 There is no real problem for normal IOPOLL as flush is also called with uring_lock taken, but it's getting more complicated for IOPOLL\|SQPOLL, for which __io_cqring_overflow_flush() happens from the CQ waiting path.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate() The subs function argument may be NULL, so do not use it before the NULL check.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix resource leakage in VF driver unbind resources allocated like mcam entries to support the Ntuple feature and hash tables for the tc feature are not getting freed in driver unbind. This patch fixes the issue.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mpls: Fix warning during failed attribute validation The 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a validation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid combination according to the comment above 'struct nla_policy': " Meaning of `validate' field, use via NLA_POLICY_VALIDATE_FN: NLA_BINARY Validation function called for the attribute. All other Unused - but note that it's a union " This can trigger the warning [1] in nla_get_range_unsigned() when validation of the attribute fails. Despite being of 'NLA_U32' type, the associated 'min'/'max' fields in the policy are negative as they are aliased by the 'validate' field. Fix by changing the attribute type to 'NLA_BINARY' which is consistent with the above comment and all other users of NLA_POLICY_VALIDATE_FN(). As a result, move the length validation to the validation function. No regressions in MPLS tests: # ./tdc.py -f tc-tests/actions/mpls.json [...] # echo $? 0 [1] WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118 nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117 Modules linked in: CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117 [...] Call Trace: <TASK> __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310 netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411 netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline] netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506 netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546 rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x38f/0x500 net/socket.c:2482 ___sys_sendmsg net/socket.c:2536 [inline] __sys_sendmsg+0x197/0x230 net/socket.c:2565 __do_sys_sendmsg net/socket.c:2574 [inline] __se_sys_sendmsg net/socket.c:2572 [inline] __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() Fix a use-after-free that occurs in hcd when in_urb sent from pn533_usb_send_frame() is completed earlier than out_urb. Its callback frees the skb data in pn533_send_async_complete() that is used as a transfer buffer of out_urb. Wait before sending in_urb until the callback of out_urb is called. To modify the callback of out_urb alone, separate the complete function of out_urb and ack_urb. Found by a modified version of syzkaller. BUG: KASAN: use-after-free in dummy_timer Call Trace: memcpy (mm/kasan/shadow.c:65) dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352) transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453) dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972) arch_static_branch (arch/x86/include/asm/jump_label.h:27) static_key_false (include/linux/jump_label.h:207) timer_expire_exit (include/trace/events/timer.h:127) call_timer_fn (kernel/time/timer.c:1475) expire_timers (kernel/time/timer.c:1519) __run_timers (kernel/time/timer.c:1790) run_timer_softirq (kernel/time/timer.c:1803)	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix potential NULL dereference Fix potential NULL dereference, in the case when "man", the resource manager might be NULL, when/if we print debug information.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: nfsd: fix handling of cached open files in nfsd4_open codepath Commit fb70bf124b05 ("NFSD: Instantiate a struct file when creating a regular NFSv4 file") added the ability to cache an open fd over a compound. There are a couple of problems with the way this currently works: It's racy, as a newly-created nfsd_file can end up with its PENDING bit cleared while the nf is hashed, and the nf_file pointer is still zeroed out. Other tasks can find it in this state and they expect to see a valid nf_file, and can oops if nf_file is NULL. Also, there is no guarantee that we'll end up creating a new nfsd_file if one is already in the hash. If an extant entry is in the hash with a valid nf_file, nfs4_get_vfs_file will clobber its nf_file pointer with the value of op_file and the old nf_file will leak. Fix both issues by making a new nfsd_file_acquirei_opened variant that takes an optional file pointer. If one is present when this is called, we'll take a new reference to it instead of trying to open the file. If the nfsd_file already has a valid nf_file, we'll just ignore the optional file and pass the nfsd_file back as-is. Also rework the tracepoints a bit to allow for an "opened" variant and don't try to avoid counting acquisitions in the case where we already have a cached open file.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: iommu/iova: Fix alloc iova overflows issue In __alloc_and_insert_iova_range, there is an issue that retry_pfn overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will overflow. As a result, if the retry logic is executed, low_pfn is updated to 0, and then new_pfn < low_pfn returns false to make the allocation successful. This issue occurs in the following two situations: 1. The first iova size exceeds the domain size. When initializing iova domain, iovad->cached_node is assigned as iovad->anchor. For example, the iova domain size is 10M, start_pfn is 0x1_F000_0000, and the iova size allocated for the first time is 11M. The following is the log information, new->pfn_lo is smaller than iovad->cached_node. Example log as follows: [ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00 [ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff 2. The node with the largest iova->pfn_lo value in the iova domain is deleted, iovad->cached_node will be updated to iovad->anchor, and then the alloc iova size exceeds the maximum iova size that can be allocated in the domain. After judging that retry_pfn is less than limit_pfn, call retry_pfn+1 to fix the overflow issue.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: drm/msm: another fix for the headless Adreno GPU Fix another oops reproducible when rebooting the board with the Adreno GPU working in the headless mode (e.g. iMX platforms). Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read [00000000] pgd=74936831, pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] ARM CPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11 Hardware name: Freescale i.MX53 (Device Tree Support) PC is at msm_atomic_commit_tail+0x50/0x970 LR is at commit_tail+0x9c/0x188 pc : [<c06aa430>] lr : [<c067a214>] psr: 600e0013 sp : e0851d30 ip : ee4eb7eb fp : 00090acc r10: 00000058 r9 : c2193014 r8 : c4310000 r7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000 r3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 74910019 DAC: 00000051 Register r0 information: NULL pointer Register r1 information: NULL pointer Register r2 information: NULL pointer Register r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024 Register r4 information: NULL pointer Register r5 information: NULL pointer Register r6 information: non-paged memory Register r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128 Register r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048 Register r9 information: non-slab/vmalloc memory Register r10 information: non-paged memory Register r11 information: non-paged memory Register r12 information: non-paged memory Process reboot (pid: 51, stack limit = 0xc80046d9) Stack: (0xe0851d30 to 0xe0852000) 1d20: c4759380 fbd77200 000005ff 002b9c70 1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058 1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c 1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468 1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810 1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00 1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8 1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854 1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000 1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60 1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4 1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000 1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058 1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028 1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc 1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000 msm_atomic_commit_tail from commit_tail+0x9c/0x188 commit_tail from drm_atomic_helper_commit+0x160/0x188 drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0 drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0 drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140 drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240 device_shutdown from kernel_restart+0x38/0x90 kernel_restart from __do_sys_reboot+0x ---truncated---	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fixed bug on error when unloading amdgpu Fixed bug on error when unloading amdgpu. The error message is as follows: [ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278! [ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1 [ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021 [ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy] [ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53 [ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287 [ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000 [ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70 [ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001 [ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70 [ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70 [ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000 [ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0 [ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 377.706361] Call Trace: [ 377.706365] <TASK> [ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy] [ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu] [ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu] [ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu] [ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu] [ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu] [ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu] [ 377.706975] drm_dev_release+0x20/0x40 [drm] [ 377.707006] release_nodes+0x35/0xb0 [ 377.707014] devres_release_all+0x8b/0xc0 [ 377.707020] device_unbind_cleanup+0xe/0x70 [ 377.707027] device_release_driver_internal+0xee/0x160 [ 377.707033] driver_detach+0x44/0x90 [ 377.707039] bus_remove_driver+0x55/0xe0 [ 377.707045] pci_unregister_driver+0x3b/0x90 [ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu] [ 377.707194] __x64_sys_delete_module+0x142/0x2b0 [ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50 [ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190 [ 377.707215] do_syscall_64+0x38/0x90 [ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential context UAFs gem_context_register() makes the context visible to userspace, and which point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl. So we need to ensure that nothing uses the ctx ptr after this. And we need to ensure that adding the ctx to the xarray is the last thing that gem_context_register() does with the ctx pointer. [tursulin: Stable and fixes tags add/tidy.] (cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: add hash if ready poll request can't complete inline If we don't, then we may lose access to it completely, leading to a request leak. This will eventually stall the ring exit process as well.	2024-08-21	not yet calculated
OpenText™ -- CX-E Voice	Path Traversal vulnerability discovered in OpenText™ CX-E Voice, affecting all version through 22.4. The vulnerability could allow arbitrarily access files on the system.	2024-08-22	not yet calculated
Atlassian--Bamboo Data Center	This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17 Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]). This vulnerability was reported via our Bug Bounty program.	2024-08-20	not yet calculated
Atlassian -- Confluence Data Center	This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14 * Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1 See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.	2024-08-21	not yet calculated
Joomla! Project -- Joomla! CMS	Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..	2024-08-20	not yet calculated
Joomla! Project -- Joomla! CMS	The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.	2024-08-20	not yet calculated
Checkmk GmbH--Checkmk	Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0p12, 2.2.0p32, 2.1.0p47 and 2.0.0 (EOL) allows local users to escalate privileges.	2024-08-20	not yet calculated
N/A -- N/A	An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Because the access token in sent in GET requests, this vulnerability could lead to complete account takeover.	2024-08-20	not yet calculated
N/A -- N/A	A SQL Injection vulnerability exists in the updateServiceHost functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.	2024-08-23	not yet calculated
N/A -- N/A	A SQL Injection vulnerability exists in the Graph Template component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.	2024-08-23	not yet calculated
BlackBerry -- CylanceOPTICS for Windows	A tampering vulnerability in the CylanceOPTICS Windows Installer Package of CylanceOPTICS for Windows version 3.2 and 3.3 could allow an attacker to potentially uninstall CylanceOPTICS from a system thereby leaving it with only the protection of CylancePROTECT.	2024-08-20	not yet calculated
N/A -- N/A	cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an unauthenticated attacker to gain access to device logs.	2024-08-22	not yet calculated
N/A -- N/A	A stored Cross-Site Scripting (XSS) vulnerability has been identified in SMSEagle software version < 6.0. The vulnerability arises because the application did not properly sanitize user input in the SMS messages in the inbox. This could allow an attacker to inject malicious JavaScript code into an SMS message, which gets executed when the SMS is viewed and specially interacted in web-GUI.	2024-08-23	not yet calculated
N/A -- N/A	An issue was discovered in the Docusign API package 8.142.14 for Salesforce. The Apttus_DocuApi__DocusignAuthentication__mdt object is installed via the marketplace from this package and stores some configuration information in a manner that could be compromised. With the default settings when installed for all users, the object can be accessible and (via its fields) could disclose some keys. These disclosed components can be combined to create a valid session via the Docusign API. This will generally lead to a complete compromise of the Docusign account because the session is for an administrator service account and may have permission to re-authenticate as specific users with the same authorization flow.	2024-08-21	not yet calculated
Versa -- Direector	The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The "Change Favicon" (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in. Severity: HIGH Exploitation Status: Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 & 2017 were not implemented by that customer. This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI. In our testing (not exhaustive, as not all numerical versions of major browsers were tested) the malicious file does not get executed on the client. There are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date.	2024-08-22	not yet calculated
N/A -- N/A	A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum.	2024-08-23	not yet calculated
Joomla! Project--Joomla! CMS	The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.	2024-08-20	not yet calculated
SonicWall -- SonicOS	An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.	2024-08-23	not yet calculated
N/A -- N/A	Learning with Texts (LWT) 2.0.3 is vulnerable to Cross Site Scripting (XSS). The application has a specific function that does not filter special characters in URL parameters. Remote attackers can inject JavaScript code without authorization. Exploiting this vulnerability, attackers can steal user credentials or execute actions such as injecting malicious scripts or redirecting users to malicious sites.	2024-08-21	not yet calculated
N/A -- N/A	Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four up to 32 bytes of memory stored behind the packet to the network depending on the later use of DHCP-provided parameters via crafted DHCP responses.	2024-08-23	not yet calculated
N/A -- N/A	Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1.	2024-08-22	not yet calculated
N/A -- N/A	A cross-site scripting (XSS) vulnerability in the component /email/welcome.php of Mini Inventory and Sales Management System commit 18aa3d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter.	2024-08-21	not yet calculated
n/a--n/a	A Cross-Site Request Forgery (CSRF) in the component admin_modify_room.php of Hotel Management System commit 91caab8 allows attackers to escalate privileges.	2024-08-20	not yet calculated
N/A -- N/A	SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admin_files.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges.	2024-08-22	not yet calculated
n/a--n/a	An issue in apollocongif apollo v.2.2.0 allows a remote attacker to obtain sensitive information via a crafted request.	2024-08-20	not yet calculated
N/A -- N/A	An issue in Netgear DGN1000WW v.1.1.00.45 allows a remote attacker to execute arbitrary code via the Diagnostics page	2024-08-23	not yet calculated
N/A -- N/A	Kashipara Bus Ticket Reservation System v1.0 0 is vulnerable to Incorrect Access Control via /deleteTicket.php.	2024-08-23	not yet calculated
N/A -- N/A	An Incorrect Access Control vulnerability was found in /admin/edit_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to edit the valid hotel room entries in the administrator section.	2024-08-22	not yet calculated
n/a--n/a	In D-Link DIR-860L v2.03, there is a buffer overflow vulnerability due to the lack of length verification for the SID field in gena.cgi. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands.	2024-08-19	not yet calculated
N/A -- N/A	An eval Injection vulnerability in the component invesalius/reader/dicom.py of InVesalius 3.1.99991 through 3.1.99998 allows attackers to execute arbitrary code via loading a crafted DICOM file.	2024-08-23	not yet calculated
N/A -- N/A	A host header injection vulnerability exists in the forgot password functionality of ArrowCMS version 1.0.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This may allow an attacker to reset other users' passwords.	2024-08-23	not yet calculated
itsourcecode -- Online Accreditation Management System	itsourcecode Online Accreditation Management System contains a Cross Site Scripting vulnerability, which allows an attacker to execute arbitrary code via a crafted payload to the SCHOOLNAME, EMAILADDRES, CONTACTNO, COMPANYNAME and COMPANYCONTACTNO parameters in controller.php.	2024-08-23	not yet calculated
N/A -- N/A	eScan Management Console 14.0.1400.2281 is vulnerable to Incorrect Access Control via acteScanAVReport.	2024-08-20	not yet calculated
n/a--n/a	cron/entry.c in vixie cron before 9cc8ab1, as used in OpenBSD 7.4 and 7.5, allows a heap-based buffer underflow and memory corruption. NOTE: this issue was introduced during a May 2023 refactoring.	2024-08-20	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: fix memory leak for not ip packets Free the unused skb when not ip packets arrive.	2024-08-20	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: net: wan: fsl_qmc_hdlc: Convert carrier_lock spinlock to a mutex The carrier_lock spinlock protects the carrier detection. While it is held, framer_get_status() is called which in turn takes a mutex. This is not correct and can lead to a deadlock. A run with PROVE_LOCKING enabled detected the issue: [ BUG: Invalid wait context ] ... c204ddbc (&framer->mutex){+.+.}-{3:3}, at: framer_get_status+0x40/0x78 other info that might help us debug this: context-{4:4} 2 locks held by ifconfig/146: #0: c0926a38 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x12c/0x664 #1: c2006a40 (&qmc_hdlc->carrier_lock){....}-{2:2}, at: qmc_hdlc_framer_set_carrier+0x30/0x98 Avoid the spinlock usage and convert carrier_lock to a mutex.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a deadlock in dma buf fence polling Introduce a version of the fence ops that on release doesn't remove the fence from the pending list, and thus doesn't require a lock to fix poll->fence wait->fence unref deadlocks. vmwgfx overwrites the wait callback to iterate over the list of all fences and update their status, to do that it holds a lock to prevent the list modifcations from other threads. The fence destroy callback both deletes the fence and removes it from the list of pending fences, for which it holds a lock. dma buf polling cb unrefs a fence after it's been signaled: so the poll calls the wait, which signals the fences, which are being destroyed. The destruction tries to acquire the lock on the pending fences list which it can never get because it's held by the wait from which it was called. Old bug, but not a lot of userspace apps were using dma-buf polling interfaces. Fix those, in particular this fixes KDE stalls/deadlock.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix CT entry update leaks of modify header context The cited commit allocates a new modify header to replace the old one when updating CT entry. But if failed to allocate a new one, eg. exceed the max number firmware can support, modify header will be an error pointer that will trigger a panic when deallocating it. And the old modify header point is copied to old attr. When the old attr is freed, the old modify header is lost. Fix it by restoring the old attr to attr when failed to allocate a new modify header context. So when the CT entry is freed, the right modify header context will be freed. And the panic of accessing error pointer is also fixed.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: s390/fpu: Re-add exception handling in load_fpu_state() With the recent rewrite of the fpu code exception handling for the lfpc instruction within load_fpu_state() was erroneously removed. Add it again to prevent that loading invalid floating point register values cause an unhandled specification exception.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always drain health in shutdown callback There is no point in recovery during device shutdown. if health work started need to wait for it to avoid races and NULL pointer access. Hence, drain health WQ on shutdown callback.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix refcount underflow Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and hence the backing ttm_bo) leads to a refcount underflow. Instead of calling nouveau_bo_ref() in the unwind path of drm_gem_object_init(), clean things up manually. (cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: riscv/purgatory: align riscv_kernel_entry When alignment handling is delegated to the kernel, everything must be word-aligned in purgatory, since the trap handler is then set to the kexec one. Without the alignment, hitting the exception would ultimately crash. On other occasions, the kernel's handler would take care of exceptions. This has been tested on a JH7110 SoC with oreboot and its SBI delegating unaligned access exceptions and the kernel configured to handle them.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exec and file release The perf pending task work is never waited upon the matching event release. In the case of a child event, released via free_event() directly, this can potentially result in a leaked event, such as in the following scenario that doesn't even require a weak IRQ work implementation to trigger: schedule() prepare_task_switch() =======> <NMI> perf_event_overflow() event->pending_sigtrap = ... irq_work_queue(&event->pending_irq) <======= </NMI> perf_event_task_sched_out() event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) task_work_add(&event->pending_task) finish_lock_switch() =======> <IRQ> perf_pending_irq() //do nothing, rely on pending task work <======= </IRQ> begin_new_exec() perf_event_exit_task() perf_event_exit_event() // If is child event free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // event is leaked Similar scenarios can also happen with perf_event_remove_on_exec() or simply against concurrent perf_event_release(). Fix this with synchonizing against the possibly remaining pending task work while freeing the event, just like is done with remaining pending IRQ work. This means that the pending task callback neither need nor should hold a reference to the event, preventing it from ever beeing freed.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exit When a task is scheduled out, pending sigtrap deliveries are deferred to the target task upon resume to userspace via task_work. However failures while adding an event's callback to the task_work engine are ignored. And since the last call for events exit happen after task work is eventually closed, there is a small window during which pending sigtrap can be queued though ignored, leaking the event refcount addition such as in the following scenario: TASK A ----- do_exit() exit_task_work(tsk); <IRQ> perf_event_overflow() event->pending_sigtrap = pending_id; irq_work_queue(&event->pending_irq); </IRQ> =========> PREEMPTION: TASK A -> TASK B event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) // FAILS: task work has exited task_work_add(&event->pending_task) [...] <IRQ WORK> perf_pending_irq() // early return: event->oncpu = -1 </IRQ WORK> [...] =========> TASK B -> TASK A perf_event_exit_task(tsk) perf_event_exit_event() free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // leak event due to unexpected refcount == 2 As a result the event is never released while the task exits. Fix this with appropriate task_work_add()'s error handling.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: devres: Fix memory leakage caused by driver API devm_free_percpu() It will cause memory leakage when use driver API devm_free_percpu() to free memory allocated by devm_alloc_percpu(), fixed by using devres_release() instead of devres_destroy() within devm_free_percpu().	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup under heavy CEQE load CEQEs are handled in interrupt handler currently. This may cause the CPU core staying in interrupt context too long and lead to soft lockup under heavy load. Handle CEQEs in BH workqueue and set an upper limit for the number of CEQE handled by a single call of work handler.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: vhost/vsock: always initialize seqpacket_allow There are two issues around seqpacket_allow: 1. seqpacket_allow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared, then seqpacket_allow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this). To fix: - initialize seqpacket_allow after allocation - set it unconditionally in set_features	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked Fix a null pointer dereference induced by DEBUG_TEST_DRIVER_REMOVE. Return from __sev_snp_shutdown_locked() if the psp_device or the sev_device structs are not initialized. Without the fix, the driver will produce the following splat: ccp 0000:55:00.5: enabling device (0000 -> 0002) ccp 0000:55:00.5: sev enabled ccp 0000:55:00.5: psp enabled BUG: kernel NULL pointer dereference, address: 00000000000000f0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI CPU: 262 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1+ #29 RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150 Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83 RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb2ea4014b808 RBP: ffffb2ea4014b7e8 R08: 0000000000000106 R09: 000000000003d9c0 R10: 0000000000000001 R11: ffffffffa39ff070 R12: ffff9e49d40590c8 R13: 0000000000000000 R14: ffffb2ea4014b808 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff9e58b1e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000f0 CR3: 0000000418a3e001 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x6f/0xb0 ? __die+0xcc/0xf0 ? page_fault_oops+0x330/0x3a0 ? save_trace+0x2a5/0x360 ? do_user_addr_fault+0x583/0x630 ? exc_page_fault+0x81/0x120 ? asm_exc_page_fault+0x2b/0x30 ? __sev_snp_shutdown_locked+0x2e/0x150 __sev_firmware_shutdown+0x349/0x5b0 ? pm_runtime_barrier+0x66/0xe0 sev_dev_destroy+0x34/0xb0 psp_dev_destroy+0x27/0x60 sp_destroy+0x39/0x90 sp_pci_remove+0x22/0x60 pci_device_remove+0x4e/0x110 really_probe+0x271/0x4e0 __driver_probe_device+0x8f/0x160 driver_probe_device+0x24/0x120 __driver_attach+0xc7/0x280 ? driver_attach+0x30/0x30 bus_for_each_dev+0x10d/0x130 driver_attach+0x22/0x30 bus_add_driver+0x171/0x2b0 ? unaccepted_memory_init_kdump+0x20/0x20 driver_register+0x67/0x100 __pci_register_driver+0x83/0x90 sp_pci_init+0x22/0x30 sp_mod_init+0x13/0x30 do_one_initcall+0xb8/0x290 ? sched_clock_noinstr+0xd/0x10 ? local_clock_noinstr+0x3e/0x100 ? stack_depot_save_flags+0x21e/0x6a0 ? local_clock+0x1c/0x60 ? stack_depot_save_flags+0x21e/0x6a0 ? sched_clock_noinstr+0xd/0x10 ? local_clock_noinstr+0x3e/0x100 ? __lock_acquire+0xd90/0xe30 ? sched_clock_noinstr+0xd/0x10 ? local_clock_noinstr+0x3e/0x100 ? __create_object+0x66/0x100 ? local_clock+0x1c/0x60 ? __create_object+0x66/0x100 ? parameq+0x1b/0x90 ? parse_one+0x6d/0x1d0 ? parse_args+0xd7/0x1f0 ? do_initcall_level+0x180/0x180 do_initcall_level+0xb0/0x180 do_initcalls+0x60/0xa0 ? kernel_init+0x1f/0x1d0 do_basic_setup+0x41/0x50 kernel_init_freeable+0x1ac/0x230 ? rest_init+0x1f0/0x1f0 kernel_init+0x1f/0x1d0 ? rest_init+0x1f0/0x1f0 ret_from_fork+0x3d/0x50 ? rest_init+0x1f0/0x1f0 ret_from_fork_asm+0x11/0x20 </TASK> Modules linked in: CR2: 00000000000000f0 ---[ end trace 0000000000000000 ]--- RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150 Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83 RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000 RDX: 0000000 ---truncated---	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Clean up error handling in vpci_scan_bus() Smatch complains about inconsistent NULL checking in vpci_scan_bus(): drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021) Instead of printing an error message and then crashing we should return an error code and clean up. Also the NULL check is reversed so it prints an error for success instead of failure.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup() Avoid large backtrace, it is sufficient to warn the user that there has been a link problem. Either the link has failed and the system is in need of maintenance, or the link continues to work and user has been informed. The message from the warning can be looked up in the sources. This makes an actual link issue less verbose. First of all, this controller has a limitation in that the controller driver has to assist the hardware with transition to L1 link state by writing L1IATN to PMCTRL register, the L1 and L0 link state switching is not fully automatic on this controller. In case of an ASMedia ASM1062 PCIe SATA controller which does not support ASPM, on entry to suspend or during platform pm_test, the SATA controller enters D3hot state and the link enters L1 state. If the SATA controller wakes up before rcar_pcie_wakeup() was called and returns to D0, the link returns to L0 before the controller driver even started its transition to L1 link state. At this point, the SATA controller did send an PM_ENTER_L1 DLLP to the PCIe controller and the PCIe controller received it, and the PCIe controller did set PMSR PMEL1RX bit. Once rcar_pcie_wakeup() is called, if the link is already back in L0 state and PMEL1RX bit is set, the controller driver has no way to determine if it should perform the link transition to L1 state, or treat the link as if it is in L0 state. Currently the driver attempts to perform the transition to L1 link state unconditionally, which in this specific case fails with a PMSR L1FAEG poll timeout, however the link still works as it is already back in L0 state. Reduce this warning verbosity. In case the link is really broken, the rcar_pcie_config_access() would fail, otherwise it will succeed and any system with this controller and ASM1062 can suspend without generating a backtrace.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: media: pci: ivtv: Add check for DMA map result In case DMA fails, 'dma->SG_length' is 0. This value is later used to access 'dma->SGarray[dma->SG_length - 1]', which will cause out of bounds access. Add check to return early on invalid value. Adjust warnings accordingly. Found by Linux Verification Center (linuxtesting.org) with SVACE.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix input error path memory access When there is a misconfiguration of input state slow path KASAN report error. Fix this error. west login: [ 52.987278] eth1: renamed from veth11 [ 53.078814] eth1: renamed from veth21 [ 53.181355] eth1: renamed from veth31 [ 54.921702] ================================================================== [ 54.922602] BUG: KASAN: wild-memory-access in xfrmi_rcv_cb+0x2d/0x295 [ 54.923393] Read of size 8 at addr 6b6b6b6b00000000 by task ping/512 [ 54.924169] [ 54.924386] CPU: 0 PID: 512 Comm: ping Not tainted 6.9.0-08574-gcd29a4313a1b #25 [ 54.925290] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 54.926401] Call Trace: [ 54.926731] <IRQ> [ 54.927009] dump_stack_lvl+0x2a/0x3b [ 54.927478] kasan_report+0x84/0xa6 [ 54.927930] ? xfrmi_rcv_cb+0x2d/0x295 [ 54.928410] xfrmi_rcv_cb+0x2d/0x295 [ 54.928872] ? xfrm4_rcv_cb+0x3d/0x5e [ 54.929354] xfrm4_rcv_cb+0x46/0x5e [ 54.929804] xfrm_rcv_cb+0x7e/0xa1 [ 54.930240] xfrm_input+0x1b3a/0x1b96 [ 54.930715] ? xfrm_offload+0x41/0x41 [ 54.931182] ? raw_rcv+0x292/0x292 [ 54.931617] ? nf_conntrack_confirm+0xa2/0xa2 [ 54.932158] ? skb_sec_path+0xd/0x3f [ 54.932610] ? xfrmi_input+0x90/0xce [ 54.933066] xfrm4_esp_rcv+0x33/0x54 [ 54.933521] ip_protocol_deliver_rcu+0xd7/0x1b2 [ 54.934089] ip_local_deliver_finish+0x110/0x120 [ 54.934659] ? ip_protocol_deliver_rcu+0x1b2/0x1b2 [ 54.935248] NF_HOOK.constprop.0+0xf8/0x138 [ 54.935767] ? ip_sublist_rcv_finish+0x68/0x68 [ 54.936317] ? secure_tcpv6_ts_off+0x23/0x168 [ 54.936859] ? ip_protocol_deliver_rcu+0x1b2/0x1b2 [ 54.937454] ? __xfrm_policy_check2.constprop.0+0x18d/0x18d [ 54.938135] NF_HOOK.constprop.0+0xf8/0x138 [ 54.938663] ? ip_sublist_rcv_finish+0x68/0x68 [ 54.939220] ? __xfrm_policy_check2.constprop.0+0x18d/0x18d [ 54.939904] ? ip_local_deliver_finish+0x120/0x120 [ 54.940497] __netif_receive_skb_one_core+0xc9/0x107 [ 54.941121] ? __netif_receive_skb_list_core+0x1c2/0x1c2 [ 54.941771] ? blk_mq_start_stopped_hw_queues+0xc7/0xf9 [ 54.942413] ? blk_mq_start_stopped_hw_queue+0x38/0x38 [ 54.943044] ? virtqueue_get_buf_ctx+0x295/0x46b [ 54.943618] process_backlog+0xb3/0x187 [ 54.944102] __napi_poll.constprop.0+0x57/0x1a7 [ 54.944669] net_rx_action+0x1cb/0x380 [ 54.945150] ? __napi_poll.constprop.0+0x1a7/0x1a7 [ 54.945744] ? vring_new_virtqueue+0x17a/0x17a [ 54.946300] ? note_interrupt+0x2cd/0x367 [ 54.946805] handle_softirqs+0x13c/0x2c9 [ 54.947300] do_softirq+0x5f/0x7d [ 54.947727] </IRQ> [ 54.948014] <TASK> [ 54.948300] __local_bh_enable_ip+0x48/0x62 [ 54.948832] __neigh_event_send+0x3fd/0x4ca [ 54.949361] neigh_resolve_output+0x1e/0x210 [ 54.949896] ip_finish_output2+0x4bf/0x4f0 [ 54.950410] ? __ip_finish_output+0x171/0x1b8 [ 54.950956] ip_send_skb+0x25/0x57 [ 54.951390] raw_sendmsg+0xf95/0x10c0 [ 54.951850] ? check_new_pages+0x45/0x71 [ 54.952343] ? raw_hash_sk+0x21b/0x21b [ 54.952815] ? kernel_init_pages+0x42/0x51 [ 54.953337] ? prep_new_page+0x44/0x51 [ 54.953811] ? get_page_from_freelist+0x72b/0x915 [ 54.954390] ? signal_pending_state+0x77/0x77 [ 54.954936] ? preempt_count_sub+0x14/0xb3 [ 54.955450] ? __might_resched+0x8a/0x240 [ 54.955951] ? __might_sleep+0x25/0xa0 [ 54.956424] ? first_zones_zonelist+0x2c/0x43 [ 54.956977] ? __rcu_read_lock+0x2d/0x3a [ 54.957476] ? __pte_offset_map+0x32/0xa4 [ 54.957980] ? __might_resched+0x8a/0x240 [ 54.958483] ? __might_sleep+0x25/0xa0 [ 54.958963] ? inet_send_prepare+0x54/0x54 [ 54.959478] ? sock_sendmsg_nosec+0x42/0x6c [ 54.960000] sock_sendmsg_nosec+0x42/0x6c [ 54.960502] __sys_sendto+0x15d/0x1cc [ 54.960966] ? __x64_sys_getpeername+0x44/0x44 [ 54.961522] ? __handle_mm_fault+0x679/0xae4 [ 54.962068] ? find_vma+0x6b/0x ---truncated---	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() Currently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in cfg80211_calculate_bitrate_he(), leading to below warning: kernel: invalid HE MCS: bw:6, ru:6 kernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211] Fix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_erp: Fix object nesting warning ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM (A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can contain more ACLs (i.e., tc filters), but the number of masks in each region (i.e., tc chain) is limited. In order to mitigate the effects of the above limitation, the device allows filters to share a single mask if their masks only differ in up to 8 consecutive bits. For example, dst_ip/25 can be represented using dst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the number of masks being used (and therefore does not support mask aggregation), but can contain a limited number of filters. The driver uses the "objagg" library to perform the mask aggregation by passing it objects that consist of the filter's mask and whether the filter is to be inserted into the A-TCAM or the C-TCAM since filters in different TCAMs cannot share a mask. The set of created objects is dependent on the insertion order of the filters and is not necessarily optimal. Therefore, the driver will periodically ask the library to compute a more optimal set ("hints") by looking at all the existing objects. When the library asks the driver whether two objects can be aggregated the driver only compares the provided masks and ignores the A-TCAM / C-TCAM indication. This is the right thing to do since the goal is to move as many filters as possible to the A-TCAM. The driver also forbids two identical masks from being aggregated since this can only happen if one was intentionally put in the C-TCAM to avoid a conflict in the A-TCAM. The above can result in the following set of hints: H1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta H3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta After getting the hints from the library the driver will start migrating filters from one region to another while consulting the computed hints and instructing the device to perform a lookup in both regions during the transition. Assuming a filter with mask X is being migrated into the A-TCAM in the new region, the hints lookup will return H1. Since H2 is the parent of H1, the library will try to find the object associated with it and create it if necessary in which case another hints lookup (recursive) will be performed. This hints lookup for {mask Y, A-TCAM} will either return H2 or H3 since the driver passes the library an object comparison function that ignores the A-TCAM / C-TCAM indication. This can eventually lead to nested objects which are not supported by the library [1]. Fix by removing the object comparison function from both the driver and the library as the driver was the only user. That way the lookup will only return exact matches. I do not have a reliable reproducer that can reproduce the issue in a timely manner, but before the fix the issue would reproduce in several minutes and with the fix it does not reproduce in over an hour. Note that the current usefulness of the hints is limited because they include the C-TCAM indication and represent aggregation that cannot actually happen. This will be addressed in net-next. [1] WARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0 Modules linked in: CPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42 Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0 [...] Call Trace: <TASK> __objagg_obj_get+0x2bb/0x580 objagg_obj_get+0xe/0x80 mlxsw_sp_acl_erp_mask_get+0xb5/0xf0 mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270 mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510 process_one_work+0x151/0x370	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: change DMA direction while mapping reinjected packets For fragmented packets, ath12k reassembles each fragment as a normal packet and then reinjects it into HW ring. In this case, the DMA direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE. Otherwise, an invalid payload may be reinjected into the HW and subsequently delivered to the host. Given that arbitrary memory can be allocated to the skb buffer, knowledge about the data contained in the reinjected buffer is lacking. Consequently, there's a risk of private information being leaked. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.	2024-08-21	not yet calculated
Linux -- Linux	In the Linux kernel, the following vulnerability has been resolved: usb: vhci-hcd: Do not drop references before new references are gained At a few places the driver carries stale pointers to references that can still be used. Make sure that does not happen. This strictly speaking closes ZDI-CAN-22273, though there may be similar races in the driver.	2024-08-23	not yet calculated
n/a--n/a	Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value (Celsius, Fahrenheit, or Kelvin), seen by the device owner, is unclear.	2024-08-19	not yet calculated
N/A -- N/A	An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string "(c)2007 UCI Software GmbH B.Boll" (without quotes). The key is both static and hardcoded. With access to messages, this results in message decryption and encryption by an attacker. Thus, it enables passive and active man-in-the-middle attacks.	2024-08-22	not yet calculated
N/A -- N/A	An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. There is Ed25519 signature malleability due to lack of validation criteria (does not ensure that S < n). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.	2024-08-22	not yet calculated
N/A -- N/A	An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.	2024-08-22	not yet calculated
N/A -- N/A	An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) an ROA or a Manifest containing a signedAttrs encoded in non-canonical form. This bypasses Fort's BER decoder, reaching a point in the code that panics when faced with data not encoded in DER. Because Fort is an RPKI Relying Party, a panic can lead to Route Origin Validation unavailability, which can lead to compromised routing.	2024-08-24	not yet calculated
N/A -- N/A	An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing an Authority Key Identifier extension that lacks the keyIdentifier field. Fort references this pointer without sanitizing it first. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.	2024-08-24	not yet calculated
N/A -- N/A	An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a signed object containing an empty signedAttributes field. Fort accesses the set's elements without sanitizing it first. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.	2024-08-24	not yet calculated
-- N/A	An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a Key Usage extension composed of more than two bytes of data. Fort writes this string into a 2-byte buffer without properly sanitizing its length, leading to a buffer overflow.	2024-08-24	not yet calculated
N/A -- N/A	An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.	2024-08-24	not yet calculated
N/A -- N/A	An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) an ROA or a Manifest containing a null eContent field. Fort dereferences the pointer without sanitizing it first. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.	2024-08-24	not yet calculated
N/A -- N/A	The TikTok (aka com.zhiliaoapp.musically) application before 34.5.5 for Android allows the takeover of Lynxview JavaScript interfaces via deeplink traversal (in the application's exposed WebView). (On Android 12 and later, this is only exploitable by third-party applications.)	2024-08-24	not yet calculated
Centreon -- Centreon	Centreon updateServiceHost SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateServiceHost function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the apache user. Was ZDI-CAN-23294.	2024-08-21	not yet calculated
Centreon -- Centreon	Centreon initCurveList SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the initCurveList function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the apache user. Was ZDI-CAN-22683.	2024-08-21	not yet calculated
GitHub -- GitHub Enterprise Server	An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.	2024-08-20	not yet calculated
Unknown -- Ditty	The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39	2024-08-23	not yet calculated
GitHub -- GitHub Enterprise Server	An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific identity providers utilizing publicly exposed signed federation metadata XML. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.	2024-08-20	not yet calculated
NETGEAR -- ProSAFE Network Management System	NETGEAR ProSAFE Network Management System getSortString SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability. The specific flaw exists within the getSortString method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-23207.	2024-08-21	not yet calculated
NETGEAR -- ProSAFE Network Management System	NETGEAR ProSAFE Network Management System getFilterString SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability. The specific flaw exists within the getFilterString method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-23399.	2024-08-21	not yet calculated
OpenText™ -- Network Node Manager i (NNMi)	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Network Node Manager i (NNMi) could allow Cross-Site Scripting (XSS).This issue affects Network Node Manager i (NNMi): 2022.11, 2023.05, 23.4, 24.2.	2024-08-23	not yet calculated
OpenText™ -- Network Node Manager i (NNMi)	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in OpenText™ Network Node Manager i (NNMi) allows URL Redirector Abuse.This issue affects Network Node Manager i (NNMi): 2022.11, 2023.05, 23.4, 24.2.	2024-08-23	not yet calculated
GitHub -- GitHub Enterprise Server	An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3.12.8, and 3.11.14. Versions 3.10 of GitHub Enterprise Server are not affected. This vulnerability was reported via the GitHub Bug Bounty program.	2024-08-20	not yet calculated
Foxit -- PDF Reader	Foxit PDF Reader Doc Object Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-23702.	2024-08-21	not yet calculated
Foxit -- PDF Reader	Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23736.	2024-08-21	not yet calculated
Foxit -- PDF Reader	Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23900.	2024-08-21	not yet calculated
Foxit -- PDF Reader	Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23928.	2024-08-21	not yet calculated
Rockwell Automation -- ThinManager® ThinServer	A vulnerability exists in the Rockwell Automation ThinManager® ThinServer that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.	2024-08-23	not yet calculated
pretix -- pretix	Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.	2024-08-23	not yet calculated

Please share your thoughts

We recently updated our anonymous product survey ; we’d welcome your feedback.

Skip to main content
Skip to search
Skip to footer

Products and Services

Cisco Secure Firewall

Do you have a firewall fit for today's challenges.

Does it harmonize your network, workload, and application security? Does it protect apps and employees in your hybrid or multicloud environment? Make sure you're covered.

Anticipate, act, and simplify with Secure Firewall

Overview video of Secure Firewall 4220 and software update

Cisco AI Assistant for Security demo

With workers, data, and offices located across the country and around the world, your firewall must be ready for anything. Secure Firewall helps you plan, prioritize, close gaps, and recover from disaster—stronger.

Lean on AI that simplifies policy management

Streamlining workflows. Finding misconfigurations. Auto-generating rules. With thousands of policies to manage and threats pouring in, Cisco AI Assistant saves time by simplifying how you manage firewall policy.

Achieve superior visibility

Regain visibility and control of your encrypted traffic and application environments. See more and detect more with Cisco Talos, while leveraging billions of signals across your infrastructure with security resilience.

Drive efficiency at scale

Secure Firewall supports advanced clustering, high availability, and multi-instance capabilities, enabling you to bring scalability, reliability, and productivity across your teams and hybrid network environments.

Make zero trust practical

Secure Firewall makes a zero-trust posture achievable and cost-effective with network, microsegmentation, and app security integrations. Automate access and anticipate what comes next.

Find the ideal firewall for your business

1000 Series

Best for smaller businesses and branch offices.

1200 Series

Advanced security for distributed enterprise branches in a compact, high-performing form factor.

3100 Series

Enhanced for medium-sized enterprises, with the flexibility to grow in the future.

4200 Series

Experience faster threat detection with greater visibility and the agility to safeguard large enterprise data center and campus networks.

9300 Series

Optimized for service providers and high-performance data centers.

Secure Firewall Threat Defense Virtual

Virtual firewalls for consistent policies across physical, cloud, and hyperconverged environments.

Secure Firewall ISA3000

Rugged design for manufacturing, industrial, and operational technology environments.

Secure WAF and bot protection

Enhance application security and resilience for today’s digital enterprise with Secure WAF and bot protection.

DDoS protection

Defend against attacks that flood your network with traffic, impacting access to apps and business-critical services.

Why migrate?

Level up your security posture with the latest capabilities for unified network and workload micro-segmentation protection.

Experience Firewall Management Center in action

See how you can centralize and simplify your firewall admin and intrusion prevention. With visibility across ever-changing and global networks, you can manage modern applications and malware outbreaks in real time.

Get 3 vital protections in a single step

You don't have to trade security for productivity. The Cisco Security Step-Up promotion deploys three powerful lines of defense that are simple, secure, and resilient for your business. Defend every critical attack vector–email, web traffic, and user credentials—in one easy step.

Explore the evolution of network security

We asked hundreds of IT and security professionals how they’re managing threats and using firewall in the face of AI, cloud complexity, and more. Here’s how they’re meeting those challenges.

Cisco Community: Connect with peers and experts

Cisco Community is your destination for product advice, a place to foster connections and share your knowledge.

Find the latest content and resources to help you learn more about Cisco Secure Firewall.

Add value to security solutions

Cisco Security Enterprise Agreement

Instant savings

Experience security software buying flexibility with one easy-to-manage agreement.

Services for security

Let the experts secure your business

Get more from your investments and enable constant vigilance to protect your organization.

Customer stories and insights

Powering fuel providers.

Ampol's global business includes refineries, fueling stations, and corporate offices. The company's infrastructure and retail operations are protected and connected with Cisco technology.

Ampol Limited

Reducing cybersecurity risk

A zero-trust approach to security protects the privacy of patients' personal data at this Ohio children's hospital.

Dayton Children’s

Better wireless access and security

A Texas school district turned to Cisco technology to bring ubiquitous, reliable wireless access to students while assuring proactive network monitoring capabilities.

Protecting networks and assets

A Michigan-based credit union protects the digital security of its hybrid workforce, customers, and assets with help from Cisco.

Lake Trust Credit Union

Boosting visibility and security

This Indiana university provides reliable and safe network access with Cisco's unified security ecosystem as its foundation for zero trust.

Marian University

The NFL relies on Cisco

From the draft to Super Bowl Sunday, the NFL relies on Cisco to protect billions of devices, endpoints, and users from cyber threats. What does that look like on game day? Watch the video on the story page to find out.

National Football League

Share your experience. Create a safer digital world.

Join us in shaping the future of cybersecurity and creating a safer digital world, one story at a time.

Simple, visible, and unified

Unify security across your high-performing data centers, providing superior visibility and efficiency. Then watch it work with ease.

Blog The Education Hub

https://educationhub.blog.gov.uk/2024/08/20/gcse-results-day-2024-number-grading-system/

GCSE results day 2024: Everything you need to know including the number grading system

Thousands of students across the country will soon be finding out their GCSE results and thinking about the next steps in their education.

Here we explain everything you need to know about the big day, from when results day is, to the current 9-1 grading scale, to what your options are if your results aren’t what you’re expecting.

When is GCSE results day 2024?

GCSE results day will be taking place on Thursday the 22 August.

The results will be made available to schools on Wednesday and available to pick up from your school by 8am on Thursday morning.

Schools will issue their own instructions on how and when to collect your results.

When did we change to a number grading scale?

The shift to the numerical grading system was introduced in England in 2017 firstly in English language, English literature, and maths.

By 2020 all subjects were shifted to number grades. This means anyone with GCSE results from 2017-2020 will have a combination of both letters and numbers.

The numerical grading system was to signal more challenging GCSEs and to better differentiate between students’ abilities - particularly at higher grades between the A *-C grades. There only used to be 4 grades between A* and C, now with the numerical grading scale there are 6.

What do the number grades mean?

The grades are ranked from 1, the lowest, to 9, the highest.

The grades don’t exactly translate, but the two grading scales meet at three points as illustrated below.

The bottom of grade 7 is aligned with the bottom of grade A, while the bottom of grade 4 is aligned to the bottom of grade C.

Meanwhile, the bottom of grade 1 is aligned to the bottom of grade G.

What to do if your results weren’t what you were expecting?

If your results weren’t what you were expecting, firstly don’t panic. You have options.

First things first, speak to your school or college – they could be flexible on entry requirements if you’ve just missed your grades.

They’ll also be able to give you the best tailored advice on whether re-sitting while studying for your next qualifications is a possibility.

If you’re really unhappy with your results you can enter to resit all GCSE subjects in summer 2025. You can also take autumn exams in GCSE English language and maths.

Speak to your sixth form or college to decide when it’s the best time for you to resit a GCSE exam.

Look for other courses with different grade requirements

Entry requirements vary depending on the college and course. Ask your school for advice, and call your college or another one in your area to see if there’s a space on a course you’re interested in.

Consider an apprenticeship

Apprenticeships combine a practical training job with study too. They’re open to you if you’re 16 or over, living in England, and not in full time education.

As an apprentice you’ll be a paid employee, have the opportunity to work alongside experienced staff, gain job-specific skills, and get time set aside for training and study related to your role.

You can find out more about how to apply here .

Talk to a National Careers Service (NCS) adviser

The National Career Service is a free resource that can help you with your career planning. Give them a call to discuss potential routes into higher education, further education, or the workplace.

Whatever your results, if you want to find out more about all your education and training options, as well as get practical advice about your exam results, visit the  National Careers Service page  and Skills for Careers to explore your study and work choices.

Sharing and comments

Share this page, related content and links, about the education hub.

The Education Hub is a site for parents, pupils, education professionals and the media that captures all you need to know about the education system. You’ll find accessible, straightforward information on popular topics, Q&As, interviews, case studies, and more.

Please note that for media enquiries, journalists should call our central Newsdesk on 020 7783 8300. This media-only line operates from Monday to Friday, 8am to 7pm. Outside of these hours the number will divert to the duty media officer.

Members of the public should call our general enquiries line on 0370 000 2288.

Sign up and manage updates

August 2024
M	T	W	T	F	S	S
			1	2	3	4
5		7	8	9	10	11
	13	14	15	16	17	18
		21	22	23	24	25
26	27		29		31

Comments and moderation policy

IMAGES

(PDF) Case Study on Inventory Management Improvement
(PDF) Analysis of Inventory Management Performance
inventory management and case studies
A Case Study on Inventory Management
Inventory Management System Definition and It's Benefits
(PDF) A Case Study of Inventory Management System for an International

VIDEO

Inventory Management System
Inventory Management System
Inventory Management System
Case Study on Inventory Management Improvement
Inventory Management System
Warehouse Management System Inventory Reports Plus Accounting Fully Responsive Complete Demo

COMMENTS

A Study of Inventory Management System Case Study
Case Study. 1* Nazar Sohail, Krukshetra University. 2 Tariq Hussain Sheikh, Govt. Degree college Poonch, [email protected]. Abstract--- Inventory management is a challenging problem area ...
Case Study: Inventory Management Practices at Walmart
Walmart Inventory Management. Wal-Mart had developed an ability to cater to the individual needs of its stores. Stores could choose from a number of delivery plans. For instance, there was an accelerated delivery system by which stores located within a certain distance of a geographical center could receive replenishment within a day.
Inventory Management Software: A Case Study
Inventory management software is a powerful tool that helps businesses track, control, and optimize their inventory. It provides real-time visibility into stock levels, automates essential tasks like reordering and restocking, and enables businesses to make data-driven decisions to prevent stockouts or overstocking.
Full article: The impact of inventory management practice on firms
2.4.2. Inventory management practices and organizational competitiveness. Inventory management is very crucial to any organization that is improving on its performance and attaining high levels of customer satisfaction. According to Nzuza (Citation 2015), the material held by an organization makes up for most of the organization assets. Most ...
PDF Inventory Management: A case study at Volvo Construction Equipment
Further a site was visited, and the case study approach was adopted. While gathering data, semi-structured interviews were conducted with engineering, line management and ... In recent years as companies adopted lean manufacturing system, management of inventory in this system became lean inventory management (Eroglu & Hofer, 2011). According ...
Simulation of inventory management systems in retail stores: A case study
This study proposes a simulation of the inventory system in a supermarket. The simulation model is developed, tested and analyzed using the popular Arena software. The performance measures employed for investigation is the inventory level, and it is directly related to total cost, reorder point and service level.
Analysis of the performance of inventory management systems using the
These indicators provide a range of measures to evaluate the performance of an inventory management system. Then, we modeled and simulated our stock management system through a case study by a high-performance dynamic model, namely BDSPNs.
A Case Study of Inventory Management System for an International
Particularly, it did not make data-driven decisions, lacked an effective inventory management system, or knew which products had higher consumer demand, and thus worked under a high level of ...
PDF Enhancing Inventory Management Decisions in a Bakery: A Case Study
Keywords: inventory management · demand forecasting · bakery · case study 1 Introduction In practical terms, management inventory systems aim to optimise inventory levels and product ﬂows in order to meet the forecast demand [1]. According to Vandeput [2], inventory policies aim to deﬁne when and how much a product has to be ordered or ...
Quality of Inventory Management System: Case Study of BARMM-Ministry of
The study recommends several strategies to improve the quality of the inventory management system, such as implementing a centralized inventory system, developing standard operating procedures for inventory management, and investing in training and development programs for staff.
Case Study on Inventory Management Improvement
This paper presents a case study for the assembling company on inventory management. It is proposed to use inventory management in order to decrease stock levels and to apply an agent system for ...
Optimizing Inventory Management (A Real-Life Case Study): A ...
Optimizing Inventory Management (A Real-Life Case Study): A Data-Driven Approach Objectives and Relevance. The primary focus of the project is on deriving insights into inventory trends and ...
PDF A Case Study of Inventory Management System for an International
The inventory control management practices consisted of recording each order's information in an Excel table. Specifically, this table included the number of products at the time of an order reception, the number of outgoing products to supply the sales branches, and the shelf number on which the product was located.
Problems & Solutions in Inventory Management
"This book is one of the most comprehensive books in inventory management. The authors provide some case studies, problems and solutions in each chapter. … This book is a must-read for people who want to learn about and master inventory management and its models, techniques and applications in real life." (Dharma Lesmono, Mathematical ...
How to Improve Inventory Management
A study by the Association for Supply Chain Management (APICS) found that companies using cycle counting systems could achieve inventory accuracy levels of 97% or higher. This contrasts with a traditional annual physical inventory system, which often results in lower overall accuracy due to a lack of frequent validation.
A Study of Inventory Management System CASE STUDY
This document presents a case study on inventory management for a small steel manufacturing company. It analyzes the company's inventory levels, stock turnover rates, and relationships between inventory levels and financial performance from 2011-2014. The study found the company had issues like disorganized inventory and inaccurate records that impacted financial performance. It provides ...
A Case Study of Inventory Management System for an International
Effective inventory management influences every aspect of a firm's operations. Inventory management in developing countries is a difficult business process because firms do not use basic inventory control concepts and techniques. Moreover, developing countries are characterized by trade imbalances with developed countries due to process inefficiencies, bureaucracy, and communication problems ...
Case Study on Inventory Management Improvement
Therefore, the task of inventory management is to find the quantity of inventories that will fulfil the demand, avoiding overstocks. This paper presents a case study for the assembling company on inventory management. It is proposed to use inventory management in order to decrease stock levels and to apply an agent system for automation of ...
A Study of Inventory Management System Case Study: Journal of ...
This document summarizes a case study on inventory management systems. It discusses challenges with inventory management including balancing inventory levels to meet demand while avoiding excess costs. The case study examines a small steel manufacturing company, finding issues like disorganized inventory and inaccurate records. A relationship was found between inventory levels (measured in ...
Analyzing economic effect on mRNA vaccine inventory management with
Case 1: Distinct mean and standard deviation. Figure 1 presents the total cost for a two-day operational period at varying initial inventory levels and under different demand distributions. The ...
Explainable AI in Manufacturing and Industrial Cyber-Physical Systems
Artificial intelligence (AI) imitates natural intelligence in machines by mimicking human thinking and problem-solving capabilities. Industrial and manufacturing systems, and, in particular, industrial cyber-physical systems (ICPS) can greatly benefit from AI as they are continually looking for ways to reduce the operational and maintenance costs, improve the process efficiency, and enhance ...
Mitigate Flooding
Economic Assessment of Green Infrastructure Strategies for Climate Change Adaptation: Pilot Studies in the Great Lakes Region (pdf) — This National Oceanic and Atmospheric Administration study assesses stormwater management practices that can help communities reduce flooding by capturing, storing, or absorbing more water from precipitation ...
A Study on Inventory Management System: A Case Study of Hindustan
PDF | On Dec 30, 2021, Dr. Deepak S. Sharma and others published A Study on Inventory Management System: A Case Study of Hindustan Aeronautics Limited (HAL), Nashik | Find, read and cite all the ...
Cisco Catalyst IE9300 Rugged Series
Create smarter, safer, and faster industrial networks. Boost performance, scale, visibility, and security with switches designed for a wide variety of use cases across multiple industries.
Comprehensive assessment of current municipal solid waste management in
Chennai city has implemented numerous strategies and plans to effectively manage the municipal solid waste by the municipal corporation. One of the prime strategy is the establishment of public-private partnership schemes, which play a crucial role in enhancing waste management practices. This case study focus to assess the conservancy operations carried out by multiple stakeholders in order ...
Vulnerability Summary for the Week of August 19, 2024
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the transport parameter at vehicle.php. 2024-08-20: 9.8: CVE-2024-42568: [email protected] : n/a--n/a : School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at paidclass.php. 2024-08 ...
Cisco Secure Firewall
Experience Firewall Management Center in action See how you can centralize and simplify your firewall admin and intrusion prevention. With visibility across ever-changing and global networks, you can manage modern applications and malware outbreaks in real time.
GCSE results day 2024: Everything you need to know including the number
The numerical grading system was to signal more challenging GCSEs and to better differentiate between students' abilities ... Q&As, interviews, case studies, and more. Please note that for media enquiries, journalists should call our central Newsdesk on 020 7783 8300. This media-only line operates from Monday to Friday, 8am to 7pm. Outside of ...