Offensiveee

**Nome do Software Vulnerável e Versões Afetadas** Portainer Community Edition versões 2.33.0 a 2.33.7 Portainer Community Edition versões 2.39.0 a 2.39.1 Portainer Community Edition versões anteriores a 2.41.0 **Description** O Portainer inclui uma configuração de segurança para desativar montagens de bind (bind mounts) para não administradores, destinada a impedir que usuários comuns vinculem caminhos do host em contêineres via API do Docker mediada pelo Portainer. No entanto, o mecanismo de imposição inspecionava apenas a array `HostConfig.Binds` e ignorava a array equivalente `HostConfig.Mounts`. Como ambos os campos são intercambiáveis no daemon do Docker, um usuário autenticado com direitos de criação de contêineres pode burlar essa restrição enviando uma entrada do tipo `bind` em `HostConfig.Mounts` no endpoint 'POST /containers/create'. Isso permite que o usuário monte qualquer caminho do host em seu contêiner, potencialmente obtendo acesso de leitura ou gravação ao sistema de arquivos do host como o usuário do daemon do Docker (geralmente `root`). Isso pode levar à exposição de arquivos sensíveis, comprometimento de outros contêineres no mesmo host ou acesso total à API do Docker se o socket do Docker for montado. **Recommendations** Atualize o Portainer Community Edition versões 2.33.0 a 2.33.7 para 2.33.8. Atualize o Portainer Community Edition versões 2.39.0 a 2.39.1 para 2.39.2. Atualize o Portainer Community Edition versões anteriores a 2.41.0 para 2.41.0. Revogue os direitos de criação de contêineres de contas não administradoras em ambientes afetados. Segregue os locatários (tenants) por ambiente para fornecer um controle mais forte do que a alternância de bind-mount.

**Nome do Software Vulnerável e Versões Afetadas** Piwigo versões anteriores a 16.3.0 **Description** Um problema de divulgação de informações existe na aplicação de galeria de fotos de código aberto onde o método de API 'pwg.history.search' é registrado sem a opção `admin only`. Isso permite que usuários não autenticados acessem o histórico completo de navegação de todos os visitantes da galeria. **Recommendations** Atualizar para a versão 16.3.0.

**Name of the Vulnerable Software and Affected Versions** Lychee versions prior to 7.5.1 **Description** Lychee is a free, open-source photo-management tool. A flaw exists in the IP validation check within the patch for an SSRF issue related to `Photo::fromUrl`. This incomplete check fails to block loopback and link-local addresses. Before version 7.5.1, an authenticated user could access internal services using direct IP addresses, bypassing all four protection configurations, even with secure default settings. **Recommendations** Update to version 7.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions 1.8.208 and below **Description** FreeScout is a help desk and shared inbox application built with the Laravel PHP framework. A broken access control issue exists in the `ThreadPolicy::edit()` method. This allows any authenticated user, regardless of their role or mailbox access, to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages and bypasses the entire mailbox permission model, potentially leading to GDPR compliance violations. The `ThreadPolicy::edit()` function is vulnerable to unauthorized access. The vulnerable parameter is not specified. **Recommendations** Upgrade to version 1.8.209 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** WWBN AVideo versions 25.0 and below **Description** The /objects/encryptPass.json.php endpoint in WWBN AVideo exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. The `encryptPassword()` function uses a weak hash chain (md5+whirlpool+sha1, no salt by default), making password cracking extremely fast with access to database hashes. The vulnerable file is `objects/encryptPass.json.php`, and the vulnerable function is `encryptPassword()`. The `encryptPassword()` function is located in `objects/functions.php` around line 2101. The vulnerable parameter is `pass` in the API endpoint `/objects/encryptPass.json.php`. **Recommendations** Versions 25.0 and below should be updated to version 26.0 or later.

**Name of the Vulnerable Software and Affected Versions** AVideo versions 25.0 and below **Description** AVideo, an open source video platform, has an issue where the `/objects/phpsessionid.json.php` endpoint exposes the current PHP session ID to any unauthenticated request. The `allowOrigin()` function reflects any `Origin` header back in `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`, which enables cross-origin session theft and full account takeover. An attacker can host a malicious page that, when visited by a logged-in AVideo user, steals their PHP session ID due to the permissive CORS policy. This allows the attacker to impersonate the user with full privileges. The vulnerable file is `objects/phpsessionid.json.php`, and the vulnerable function is `allowOrigin()`. The `allowOrigin()` function is located in `objects/functions.php` (line ~2648). The vulnerability allows an attacker to make a credentialed cross-origin request and read the session ID. **Recommendations** Versions prior to 26.0 should be updated.