Jakeperalta7

**Nome do Software Vulnerável e Versões Afetadas** Tautulli versões anteriores a 2.17.1 **Description** Tautulli é uma ferramenta de monitoramento e rastreamento baseada em Python para o Plex Media Server. Um problema de path traversal no endpoint de exclusão de cache permite acesso autenticado via API para excluir diretórios fora do caminho de cache configurado, o que pode levar à perda arbitrária de dados e interrupção do serviço. Path traversal é uma técnica que permite a um invasor acessar arquivos ou diretórios fora da pasta pretendida usando caracteres especiais como "../". **Recommendations** Atualize para a versão 2.17.1.

**Name of the Vulnerable Software and Affected Versions** Tautulli versions prior to 2.17.0 **Description** Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the `/newsletter/image/images` API endpoint is susceptible to a path traversal issue. This allows unauthenticated attackers to read arbitrary files from the application server’s filesystem. The vulnerable parameter is not explicitly mentioned. **Recommendations** Update to Tautulli version 2.17.0 or later.

**Name of the Vulnerable Software and Affected Versions** Zoraxy versions prior to 3.3.2 **Description** Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A path traversal vulnerability exists in the configuration import endpoint (`/api/conf/import`) when handling zip file entries. An authenticated user can exploit this to write arbitrary files outside the intended configuration directory. This can lead to Remote Code Execution (RCE) by creating a malicious plugin. The vulnerability is triggered by embedding "../" within a longer sequence to bypass sanitization checks during zip file processing. Specifically, the zip entry names sanitization is bypassed by embedding `../` inside a longer sequence so the replacement produces a new `../`. The vulnerable endpoint is `POST /api/conf/import`. The `username` and `password` are used for authentication. The vulnerability allows for the creation of a new plugin and modification of the entrypoint to add execution permissions to the plugin. **Recommendations** Versions prior to 3.3.2 should be updated to version 3.3.2 or later.