Dhiyaneshgeek

**Name of the Vulnerable Software and Affected Versions** pyLoad versions prior to 0.5.0b3.dev97 **Description** pyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. The vulnerability exists in the download package functionality accessible via the `/api/addPackage` endpoint, where user-supplied URLs are passed to the download engine without validation. The affected code is located in `src/pyload/webui/app/blueprints/api blueprint.py`. The download engine in `src/pyload/core/managers/download.py` accepts any URL scheme and initiates HTTP requests to arbitrary destinations. Exploitation involves submitting a malicious URL, such as `http://169.254.169.254/metadata/v1.json`, to retrieve cloud metadata. This can lead to cloud metadata theft, lateral movement, credential exposure, and infrastructure mapping. **Recommendations** Versions prior to 0.5.0b3.dev97: Update to version 0.5.0b3.dev97 or later. Implement URL validation in the download engine. Whitelist allowed URL schemes (http/https only). Block requests to private IP ranges (RFC 1918, link-local addresses). Block cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.).

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.36 **Description** Chamilo LMS is a learning management system. A flaw exists in the H5P Import feature that allows authenticated users with the Teacher role to achieve Remote Code Execution (RCE). The system’s validation of H5P packages only confirms the presence of the `h5p.json` file, failing to block potentially harmful files like `.htaccess` or PHP files with alternative extensions. An attacker can upload a specially crafted H5P package containing a webshell and a `.htaccess` file. The `.htaccess` file enables PHP execution for `.txt` files, effectively bypassing security controls. The **API endpoint** involved is the H5P Import feature. The vulnerable component is the H5P package validation process, specifically the function that checks for the `h5p.json` file. The attacker manipulates the `h5p.json` file and associated files within the H5P package. **Recommendations** Update Chamilo LMS to version 1.11.36 or later.

**Name of the Vulnerable Software and Affected Versions** Glances versions prior to 4.5.2 **Description** Glances, a system cross-platform monitoring tool, has an issue where the web server runs without authentication by default when started with `glances -w`. This exposes a REST API containing sensitive system information, including process command-lines that may contain credentials like passwords, API keys, and tokens, to any network client. The API endpoints, such as `/api/4/system` and `/api/4/all`, allow access to system information, process lists, network connections, filesystems, and Docker containers. The vulnerable code resides in files like `glances/outputs/glances restful api.py` and `glances/plugins/processlist/ init .py`. The `cmdline` parameter within the process list API (`/api/4/processlist`) exposes full command-line arguments without sanitization. This can lead to complete system reconnaissance and credential harvesting, potentially enabling lateral movement and targeted attacks. **Recommendations** Versions prior to 4.5.2 should be updated to version 4.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Cloud CLI (aka Claude Code UI) versions prior to 1.25.0 **Description** Cloud CLI, a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI, contains a flaw due to OS Command Injection via WebSocket Shell. The `projectPath` and `initialCommand` parameters in the `server/index.js` file are directly incorporated into a bash command string without proper sanitization, allowing for arbitrary OS command execution. A further injection point exists through the unsanitized `sessionId`. This issue allows unauthenticated remote code execution on any instance running with the default configuration. The root cause is the insecure default JWT secret combined with a WebSocket authentication function that bypasses database user validation. The vulnerability allows full OS command execution, file system access, credential theft, and potential lateral movement within the network. The `projectPath` parameter is also susceptible to double-quote escape injection. **Recommendations** Versions prior to 1.25.0 should be updated to version 1.25.0 or later. Enforce an explicit `JWT SECRET` environment variable and remove the insecure default value. Add a database user existence check in the WebSocket authentication process. Replace shell string interpolation with a spawn argument array.

**Nome do Software Vulnerável e Versões Afetadas** Versões do changedetection.io anteriores à 0.54.4 **Descrição** A aplicação changedetection.io permite que os usuários especifiquem expressões XPath como filtros de conteúdo via o campo `include filters`. Essas expressões XPath são processadas usando a biblioteca elementpath, que implementa as especificações XPath 3.0/3.1. O XPath 3.0 inclui a função `unparsed-text()`, que pode ler arquivos arbitrários do sistema de arquivos. A aplicação não valida ou sanitiza as expressões XPath para bloquear funções perigosas, permitindo que um atacante leia qualquer arquivo acessível ao processo da aplicação. O código vulnerável reside no arquivo `html tools.py`, especificamente dentro da função `xpath filter()` (linhas 187-220). A validação da aplicação em `forms.py` verifica apenas a validade sintática da expressão XPath e não impede o uso de funções perigosas como `unparsed-text()`. Um atacante pode explorar isso definindo o campo `include filters` com uma expressão XPath que utiliza `unparsed-text()` para ler arquivos arbitrários, como /etc/passwd. **Recomendações** Atualize para a versão 0.54.4 ou posterior do changedetection.io.