Lagathos

**Nome do Software Vulnerável e Versões Afetadas** Twenty CRM versões 1.7.7 até 1.16.7 **Descrição** Um problema de Execução Remota de Código (RCE) existe por meio de um ataque encadeado de SQL Injection e PostgreSQL COPY TO PROGRAM. Se o usuário do Postgres for um superusuário, qualquer usuário autenticado pode executar comandos arbitrários do sistema operacional no servidor de banco de dados. Isso ocorre porque o parâmetro `timeZone` no endpoint 'groupBy' da API REST é interpolado diretamente em uma expressão SQL bruta usando literais de modelo JavaScript, sem parametrização, validação ou escape. Isso afeta a função `get-group-by-expression.util.ts`. **Recomendações** Para as versões 1.7.7 até 1.16.7, atualize o software para uma versão onde o parâmetro `timeZone` seja devidamente sanitizado. Como medida paliativa temporária, restrinja as permissões do usuário do banco de dados para garantir que o usuário Postgres não seja um superusuário, evitando assim a execução de comandos do sistema operacional.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions 1.7.0 through 1.7.0 **Description** InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) issue exists through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public invoice template` setting to include poisoned log files containing PHP code. The vulnerability involves manipulating the `public invoice template` setting. **Recommendations** Update InvoicePlane to version 1.7.1.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions prior to 1.7.1 **Description** InvoicePlane is a self-hosted open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) issue exists in the `family name` field in version 1.7.0. The `family name` value is displayed without proper HTML encoding within the family dropdown on the product form. If an administrator creates a family with a malicious name, the payload will execute in the browser of any administrator accessing the product form. **Recommendations** Update to version 1.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions prior to 1.7.1 **Description** A Stored Cross-Site Scripting (XSS) issue exists in InvoicePlane. An authenticated administrator can inject malicious JavaScript through the Invoice Number field. This injected script executes when any administrator views the affected invoice or accesses the dashboard. **Recommendations** Update to version 1.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane version 1.7.0 InvoicePlane versions prior to 1.7.1 **Description** A Stored Cross-Site Scripting (XSS) issue exists in InvoicePlane. An authenticated administrator can inject malicious JavaScript through the Product Unit Name fields. This malicious code executes when any administrator views an invoice containing a product with the injected code. The vulnerable parameter is the Product Unit Name. **Recommendations** Update to version 1.7.1 or later.