Jorgectf

**Nome do software vulnerável e versões afetadas** gotortc versões 1.8.5 e anteriores **Descrição** O gotortc é um aplicativo de transmissão de câmera. A página inicial (`index.html`) exibe as transmissões disponíveis ao consultar a API no lado do cliente, utilizando `Object.entries` para percorrer os resultados e anexando o primeiro item (`name`) por meio de `innerHTML`. Isso leva a um cross-site scripting (XSS) baseado em DOM. Quando uma vítima acessa o servidor, seu navegador executa a solicitação contra a instância do go2rtc e, após a solicitação, o navegador é redirecionado para o go2rtc, onde o XSS é executado no contexto da origem do go2rtc. **Recomendações** Como solução temporária, considere desativar o uso de `innerHTML` para anexar dados fornecidos pelo usuário até que um patch esteja disponível. Restrinja o acesso à página `index.html` para minimizar o risco de exploração. Evite usar a variável `name` no endpoint da API afetado até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** gotortc versões 1.8.5 e anteriores **Descrição** A vulnerabilidade diz respeito a um aplicativo de transmissão de câmera. Ele permite a modificação da configuração existente com valores fornecidos pelo usuário por meio do endpoint `/api/config`. Embora essa API permita apenas que o localhost interaja sem autenticação, ela não está protegida contra Cross-Site Request Forgery (CSRF), permitindo solicitações de qualquer origem. Isso pode levar à execução de comandos arbitrários se um invasor adicionar um stream personalizado por meio de `api/config`, utilizando o manipulador `exec`. Quando uma vítima acessa o servidor, seu navegador executará as solicitações contra a instância do go2rtc. **Recomendações** Para as versões 1.8.5 e anteriores, considere desativar o manipulador `exec` e restringir o acesso ao endpoint `/api/config` para impedir a execução arbitrária de comandos até que uma correção esteja disponível. Além disso, certifique-se de que o go2rtc esteja configurado de forma segura no aplicativo upstream para minimizar o risco de exploração.

**Nome do software vulnerável e versões afetadas** gotortc versões 1.8.5 e anteriores **Descrição** O problema está relacionado a cross-site scripting baseado em DOM. A página de links (`links.html`) acrescenta o parâmetro GET `src` (`[0]`) em todos os seus links para visualizações com um clique. O contexto em que `src` está sendo anexado é `innerHTML` (`[1]`), o que inserirá o texto como HTML. **Recomendações** Para as versões 1.8.5 e anteriores, aplique o patch do commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba para resolver o problema. Como solução alternativa temporária, considere restringir o uso da página `links.html` ou desativar o recurso de visualização com um clique até que o patch seja aplicado. Evite usar o parâmetro `src` nos links afetados até que o problema seja resolvido.

**Name of the Vulnerable Software and Affected Versions** tj-actions/verify-changed-files versions prior to 17 **Description** The tj-actions/verify-changed-files action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The verify-changed-files workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands, an attacker may be able to steal secrets such as `GITHUB TOKEN` if triggered on other events than `pull request`. **Recommendations** To resolve the issue, update to version 17 or later, which enables `safe output` by default and returns filename paths escaping special characters for bash environments. As a temporary workaround, consider using environment variables to store unsafe outputs, such as `CHANGED FILES`, to minimize the risk of exploitation. For example: ```yaml - name: List all changed files tracked and untracked files env: CHANGED FILES: ${{ steps.verify-changed-files.outputs.changed files }} run: | echo "Changed files: $CHANGED FILES" ```

**Name of the Vulnerable Software and Affected Versions** tj-actions/changed-files versions prior to 41.0.0 **Description** The `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. The action returns a list of files changed in a commit or pull request, which provides an `escape json` input that only escapes `"` for JSON values. This could potentially allow filenames that contain special characters such as `;` and `` ` `` (backtick) to be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion inside a `run` block. By running custom commands, an attacker may be able to steal secrets such as `GITHUB TOKEN` if triggered on other events than `pull request`. **Recommendations** For versions prior to 41.0.0, upgrade to version 41.0.0 or later to address the issue. As a temporary workaround, consider using environment variables to store unsafe outputs, and ensure that the output value is not used in a raw fashion inside a `run` block. For example, use the following code: ``` - name: List all changed files env: ALL CHANGED FILES: ${{ steps.changed-files.outputs.all changed files }} run: | for file in "$ALL CHANGED FILES"; do echo "$file was changed" done ```

**Name of the Vulnerable Software and Affected Versions** Nginx-UI versions prior to 2.0.0.beta.9 **Description** The issue concerns arbitrary command execution by abusing configuration settings in Nginx-UI, a web interface for managing Nginx configurations. The `Home > Preference` page exposes system settings such as `Run Mode`, `Jwt Secret`, `Node Secret`, and `Terminal Start Command`. Although the UI does not allow modification of the `Terminal Start Command` setting, it is possible to modify it by sending a request to the API. This can lead to authenticated remote code execution, privilege escalation, and information disclosure. **Recommendations** For versions prior to 2.0.0.beta.9, update to version 2.0.0.beta.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `Terminal Start Command` setting and limiting the ability to send requests to the API that could modify this setting. Additionally, restrict access to the `Home > Preference` page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nginx-ui versions prior to 2.0.0.beta.9 **Description** The issue is related to the Nginx UI server, where the API exposes certain settings such as `test config cmd`, `reload cmd`, and `restart cmd`, which can be modified by sending a request to the API, potentially leading to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure. **Recommendations** For versions prior to 2.0.0.beta.9, update to version 2.0.0.beta.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the API endpoints that expose `test config cmd`, `reload cmd`, and `restart cmd` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nginx-UI versions prior to 2.0.0.beta.9 **Description** The issue is related to a lack of protection against SQL query structure exploitation in the Nginx UI server. This may allow a remote attacker to gain unauthorized access to protected information. The problem leads to information disclosure, where user-controlled query parameters `order` and `sort by` are appended to the `order` variable without sanitization, using `DefaultQuery` with default values for `"desc"` and `"id"`. **Recommendations** For versions prior to 2.0.0.beta.9, update to version 2.0.0.beta.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `order` and `sort by` query parameters in the affected API endpoint until a patch is available. Avoid using the `DefaultQuery` with default values for `"desc"` and `"id"` in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Submarine versions 0.7.0 through 0.7.x **Description** The issue is caused by a bug in the serialization against YAML, specifically due to the use of snakeyaml. Apache Submarine uses JAXRS to define REST endpoints and handles YAML requests through a YamlEntityProvider entity provider. The readFrom method in YamlUtils.java processes incoming YAML requests, which can lead to the issue. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Apache Submarine versions 0.7.0 through 0.7.x, upgrade to version 0.8.0 to fix the issue. As a temporary workaround for versions smaller than 0.8.0, consider cherry-picking PR and rebuilding the submarine-server image to fix this.

**Name of the Vulnerable Software and Affected Versions** Frigate versions prior to 0.13.0 Beta 3 **Description** Frigate is an open source network video recorder. The `config/save` and `config/set` endpoints of Frigate do not implement any CSRF protection, making it possible for a request sourced from another site to update the configuration of the Frigate server. Exploiting this issue requires the attacker to know specific information about a user's Frigate server and to trick an authenticated user into clicking a specially crafted link to their Frigate instance. This can lead to arbitrary configuration updates for the Frigate server, resulting in denial of service and possible data exfiltration. **Recommendations** For Frigate versions prior to 0.13.0 Beta 3, update to version 0.13.0 Beta 3 to resolve the issue. As a temporary workaround, consider restricting access to the `config/save` and `config/set` endpoints to minimize the risk of exploitation. Avoid exposing the Frigate server to the internet, even with authentication, and ensure that only trusted users have access to the server.

**Name of the Vulnerable Software and Affected Versions** Frigate versions prior to 0.13.0 Beta 3 **Description** Frigate is an open source network video recorder. An unsafe deserialization vulnerability was identified in the endpoints used to save configurations for Frigate, which can lead to unauthenticated remote code execution. This can be performed through the UI at "/config" or through a direct call to "/api/config/save". Exploiting this vulnerability requires the attacker to know specific information about a user's Frigate server and to trick an authenticated user into clicking a specially crafted link to their Frigate instance. The vulnerability can be exploited if Frigate is publicly exposed to the internet, the attacker knows the address of a user's Frigate instance, and the attacker can get an authenticated user to visit a specialized page and click a button/link. Input is initially accepted through `http.py` and then parsed and loaded by `load config with no duplicates`, which does not sanitize the input due to using `yaml.loader.Loader`. A provided payload will be executed directly at `frigate/util/builtin.py:110`, potentially leading to pre-authenticated Remote Code Execution. **Recommendations** For versions prior to 0.13.0 Beta 3, update to version 0.13.0 Beta 3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/config" UI endpoint and the "/api/config/save" API endpoint to minimize the risk of exploitation. Additionally, avoid publicly exposing Frigate to the internet and limit access to trusted users to reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** Frigate versions prior to 0.13.0 Beta 3 **Description** Frigate is an open source network video recorder. There is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/` base path with a `/<camera name>` parameter, as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to know specific information about a user's Frigate server and to trick an authenticated user into clicking a specially crafted link to their Frigate instance. This could be exploited if Frigate is publicly exposed to the internet, the attacker knows the address of a user's Frigate instance, crafts a specialized page linking to the user's Frigate instance, and gets an authenticated user to visit the page and click the link. The reflected values in the URL are not sanitized or escaped, allowing execution of arbitrary Javascript payloads. **Recommendations** For versions prior to 0.13.0 Beta 3, update to version 0.13.0 Beta 3 or later to resolve the issue. As a temporary workaround, consider restricting access to API endpoints reliant on the `/` base path with a `/<camera name>` parameter to minimize the risk of exploitation. Avoid using the `/<camera name>` base path in API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Common Voice version 1.88.2 **Description** The issue is related to reflected Cross-Site Scripting (XSS) in the context of Common Voice’s server origin, given that user-controlled data flows to a path expression. This may lead to reflected Cross-Site Scripting (XSS) attacks. The platform is used for collecting speech donations to create public domain datasets for training voice recognition-related tools. **Recommendations** For version 1.88.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cocos Engine (affected versions not specified) **Description** The issue concerns a command injection vulnerability in the `web-interface-check.yml` file of the Cocos Engine GitHub repository. This file was triggered by pull requests and contained a user-controllable field `github.head ref`, which is the name of the fork's branch. An attacker could exploit this to take over the GitHub Runner, run custom commands, and potentially steal secrets like `GITHUB TOKEN`, as well as alter the repository. The vulnerable workflow has been removed from the repository. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OneSignal (affected versions not specified) **Description** The issue concerns a workflow triggered by closed issues, utilizing a GitHub repository token with full write permissions. This allows an attacker to potentially take over the GitHub Runner, run custom commands, steal secrets, or alter the repository. The vulnerability was discovered using CodeQL and involves javascript's Expression injection in Actions query. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OWSLib versions prior to 0.28.1 **Description** The XML parser in OWSLib does not disable entity resolution, which could lead to arbitrary file reads from an attacker-controlled XML payload. This issue affects all XML parsing in the codebase. The estimated number of potentially affected devices is not specified. **Recommendations** For versions prior to 0.28.1, upgrade to version 0.28.1 to resolve the issue. As a temporary workaround, consider patching the library manually by setting `resolve entities=False` in `lxml`'s parser or applying the provided patch to disable entity resolution for `xml.etree`. Restrict access to the XML parsing functionality to minimize the risk of exploitation until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GeoNode versions prior to 4.0.3 **Description** GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer, leading to Arbitrary File Read. The issue arises from the `dataset style upload` view, which allows users to upload new styles for datasets. The `extract name from sld` function uses a default XMLParser with the `resolve entities` flag set to True, allowing the parsing of external entities. This enables an attacker to upload a malicious SLD file, potentially leading to the disclosure of sensitive information. The vulnerability can be exploited by sending a crafted request to the `/gs/geonode:<DATASET NAME>/style/upload` endpoint with a malicious SLD file. **Recommendations** For versions prior to 4.0.3, update to version 4.0.3 or later to patch the vulnerability. As a temporary workaround, consider restricting access to the style upload functionality or disabling the `dataset style upload` view until a patch is applied. Additionally, restrict access to the `extract name from sld` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The DataHub frontend proxy does not properly construct URLs when forwarding data to the DataHub Metadata Store (GMS), allowing external users to reroute requests to arbitrary hosts. This enables attackers to redirect requests from the frontend proxy to other servers and return the results. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DataHub versions prior to 0.8.45 **Description** The issue concerns authentication checks using the `AuthUtils.hasValidSessionCookie()` method, which could be bypassed by using a cookie from a logged out session. This is because session cookies are only cleared on new sign-in events and not on logout events. As a result, any logged out session cookie may be accepted as valid, leading to an authentication bypass to the system. **Recommendations** For versions prior to 0.8.45, upgrade to version 0.8.45 or later to resolve the issue. As a temporary workaround, consider disabling the use of session cookies or restricting access to sensitive areas of the system until the upgrade can be applied.

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The issue occurs when a system using Java Authentication and Authorization Service (JAAS) authentication encounters a configuration error, causing authentication to fail open. This allows an attacker to login with any username and password due to an error being thrown in the `authenticateJaasUser` method but not propagated. As a result, unauthenticated users may gain access to the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.