Guillaume Pillot

**Name of the Vulnerable Software and Affected Versions** LORIS versions prior to 26.0.5 LORIS versions prior to 27.0.2 LORIS versions prior to 28.0.0 **Description** LORIS is a self-hosted web application used for data and project management in neuroimaging research. An authenticated user with sufficient privileges can exploit a path traversal flaw to upload a malicious file to an arbitrary location on the server. Successful exploitation could lead to remote code execution (RCE). If the server is configured as read-only, RCE is not possible, but malicious file upload may still be achievable. The issue involves the ability to upload files via a path traversal, potentially impacting the server's integrity. **Recommendations** Update LORIS to version 26.0.5 or later. Update LORIS to version 27.0.2 or later. Update LORIS to version 28.0.0 or later. If the media module is not in use, disable it as a workaround.

**Name of the Vulnerable Software and Affected Versions** LORIS versions prior to 26.0.5 LORIS versions prior to 27.0.2 LORIS versions prior to 28.0.0 **Description** LORIS is a self-hosted web application used for data and project management in neuroimaging research. An authenticated user with appropriate authorization can read server configuration files through a path traversal issue. These files may contain hard-coded credentials that could be reused for authentication to the database or other services. The application source code is publicly available, and the issue is considered easy to exploit. The vulnerability allows access to configuration files containing hard-coded credentials. **Recommendations** LORIS versions prior to 26.0.5 should be updated to version 26.0.5 or later. LORIS versions prior to 27.0.2 should be updated to version 27.0.2 or later. LORIS versions prior to 28.0.0 should be updated to version 28.0.0 or later. As a workaround, an administrator can disable the electrophysiology browser module using the module manager.