F1Vet

**Nginx-UI and Affected Versions** Nginx-UI versions 2.3.3 and prior **Description** Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base `Model` struct lacks a `user id` field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. The `dns.Config` structure contains API credentials, including `CF API TOKEN` for Cloudflare, `ALICLOUD ACCESS KEY` and `ALICLOUD SECRET KEY` for Alibaba Cloud DNS, `TENCENTCLOUD SECRET ID` and `TENCENTCLOUD SECRET KEY` for Tencent Cloud DNS, `AWS ACCESS KEY ID` and `AWS SECRET ACCESS KEY` for AWS Route53, and `GODADDY API KEY` and `GODADDY API SECRET` for GoDaddy. The combination of the IDOR vulnerability and plaintext storage of these credentials allows attackers to extract API tokens from other users' resources, potentially leading to DNS record modification, fraudulent SSL certificate issuance, and pivoting to cloud infrastructure. The application's base Model struct lacks a `user id` field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. **Recommendations** Versions prior to and including 2.3.3: Add a `user id` field to the base `Model` struct. Filter queries by the current user's ID. Add authorization middleware to verify resource ownership. Migrate existing data to include the `user id` and encrypt sensitive fields like DNS and ACME data using AES encryption.

**Name of the Vulnerable Software and Affected Versions** Traefik versions 2.11.40 and below Traefik versions 3.0.0-beta1 through 3.6.11 Traefik version 3.7.0-ea.1 **Description** Traefik’s BasicAuth middleware has a flaw that allows an unauthenticated attacker to enumerate valid usernames through a timing attack. When a valid username is submitted, the middleware performs a bcrypt password comparison, taking approximately 166 milliseconds. If the username is invalid, the response is returned immediately in about 0.6 milliseconds. This approximately 298-times timing difference is observable over the network, enabling an attacker to reliably identify valid usernames. **Recommendations** Update to Traefik version 2.11.41 or later. Update to Traefik version 3.6.11 or later. Update to Traefik version 3.7.0-ea.2 or later.

**Nome do Software Vulnerável e Versões Afetadas** Versões do CNCF K3s de 1.32 até 1.32.4-rc1+k3s1 **Descrição** O problema decorre de uma alteração na configuração do kubelet do Kubernetes, que, em determinadas situações, define a ReadOnlyPort como 10255. Isso poderia potencialmente permitir acesso não autenticado a esta porta, expondo credenciais, especialmente nos comportamentos padrão de instalação online do K3s. **Recomendações** Para as versões do CNCF K3s de 1.32 até 1.32.4-rc1+k3s1, atualize para a versão 1.32.4-rc1+k3s1 ou posterior para resolver o problema. Como medida paliativa temporária, considere restringir o acesso à porta 10255 para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Ubiquiti Networks UniFi Dream Machine Pro version 7.2.95 **Description** The issue is related to insufficient access control in the software of the Ubiquiti Networks UniFi Dream Machine Pro, allowing remote attackers to bypass domain restrictions by sending crafted packets. **Recommendations** For Ubiquiti Networks UniFi Dream Machine Pro version 7.2.95, consider restricting access to the device until a patch is available to prevent exploitation of the domain restriction bypass issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.