Pavelkohout396

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users.

A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is an electronic health records and medical practice management application. A DOM-based stored cross-site scripting issue exists in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`). An authenticated user with encounter form write access can inject arbitrary JavaScript that executes in another clinician's browser session when using the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. **Recommendations** Update to OpenEMR version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. The application is susceptible to a stored cross-site scripting (XSS) issue. This occurs due to unescaped `portal login username` within the portal credential print view. A patient portal user can inject an XSS payload as their login username, which then executes in a clinic staff member's browser when the "Create Portal Login" page is accessed for that patient. This allows for a transition from the patient session context to the staff/admin session context. **Recommendations** Versions prior to 8.0.0.2 should be updated to version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is an electronic health records and medical practice management application. A flaw exists where an authenticated, non-administrator user can view reminder messages belonging to other users. This is achieved by manipulating the `sentTo[]` or `sentBy[]` parameters in a GET request to the dated reminders log. The issue allows access to patient names and the content of free-text messages. **Recommendations** Update to OpenEMR version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is an electronic health records and medical practice management application. A flaw exists where an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows authenticated users to invoke controller methods, including `getNotificationLog()`, without proper access control checks. The `AppDispatch` constructor bypasses ACL enforcement, potentially exposing patient appointment data (PHI). **Recommendations** Update to OpenEMR version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.2 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the patient portal payment flow. This allows a patient portal user to inject arbitrary JavaScript code that will be executed in the browser of a staff member reviewing the payment submission. The malicious payload is stored in `portal/lib/paylib.php` and rendered without proper sanitization in `portal/portal payment.php`. **Recommendations** Update OpenEMR to version 8.0.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, names associated with items in the 'Track Anything' feature are taken directly from user input (via POST requests) and displayed in Dygraph charts (titles and labels) without proper sanitization. This allows a user with the ability to create or edit 'Track Anything' items to inject malicious script that will execute when any user views the corresponding graph. The issue involves the use of `innerHTML` or similar methods without escaping, leading to potential cross-site scripting (XSS). The vulnerable component is the rendering of track/item names in Dygraph charts. **Recommendations** Update OpenEMR to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is an electronic health records and medical practice management application. An incorrect boolean condition within the `ControllerRouter::route()` function results in the administrator/super user access control check being applied only to specific controllers (review, log). This leaves other controllers – alerts, ajax, edit, add, detail, browse – accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts, delete or modify clinical plans, and edit rule configurations, operations that should require administrator privileges. **Recommendations** Versions prior to 8.0.0.1 should be updated to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the Graphical Pain Map ("clickmap") form. This allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. The `clickmap` form is the point of injection for the malicious script. The vulnerability affects the session cookies, allowing for unauthorized access. **Recommendations** Update OpenEMR to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is an electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the prescription CSS/HTML print view via patient demographics. This involves server-side rendering of patient names using a raw PHP echo and client-side DOM-based rendering via jQuery .html() in a separate component (`portal/sign/assets/signer api.js`). The root cause is unsanitized patient names in `patient data`. The issue has different sinks, affected components, and trigger actions, requiring independent fixes. **Recommendations** Versions prior to 8.0.0.1 should be updated to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is an electronic health records and medical practice management application. The Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata, including claim IDs, payer information, and transmission logs. This endpoint does not enforce the same Access Control List (ACL) as the main billing/claims workflow, allowing authenticated users without appropriate billing permissions to access sensitive data. The vulnerable API endpoint is an AJAX endpoint used by the Claim File Tracker feature. The issue arises because the endpoint does not properly validate user permissions before returning billing claim metadata. The vulnerable parameter is not explicitly mentioned. **Recommendations** Update OpenEMR to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0.1, sensitivity checks for group encounters were not functioning correctly. The code was only checking the `form encounter` table for sensitivity information, while group encounters actually store this information in the `form groups encounter` table. This resulted in sensitivity restrictions not being applied to group encounters, potentially allowing unauthorized users to view sensitive information, such as mental health records. **Recommendations** Upgrade to OpenEMR version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0.1 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, the dynamic code picker ''/ajax/dynamic code picker'' endpoint returns code descriptions (`code text`) that are rendered in the front end (e.g., DataTables) without HTML escaping. If an administrator or a user with code management rights creates or edits a code with a malicious description containing a script, that script executes in the browser of every user who uses the picker. **Recommendations** Update to version 8.0.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0 **Description** OpenEMR is an electronic health records and medical practice management application. A flaw exists in the Immunization module where user-supplied `patient id` values are directly incorporated into SQL queries without proper sanitization. This allows any authenticated user to execute arbitrary SQL queries, potentially leading to database compromise, unauthorized access to protected health information (PHI), credential theft, and remote code execution. **Recommendations** Update to version 8.0.0 or later.

Nome do Software Vulnerável e Versões Afetadas openCryptoki versões 2.3.2 e superiores Descrição O openCryptoki é uma biblioteca PKCS#11 utilizada em sistemas Linux e AIX. As versões 2.3.2 e superiores são vulneráveis ao seguimento de symlinks ao operar em contextos privilegiados. Um usuário pertencente ao grupo token pode redirecionar operações de arquivos para locais arbitrários do sistema de arquivos ao criar symlinks dentro de diretórios de token com permissão de escrita para o grupo, potencialmente levando à elevação de privilégios ou exposição de dados. Os diretórios de token e lock são configurados com permissões 0770, permitindo que qualquer membro do grupo token coloque arquivos e symlinks dentro deles. Quando executado com privilégios de root, o código base responsável pelo acesso a arquivos dos diretórios de token, juntamente com várias ferramentas do openCryptoki usadas para tarefas administrativas, pode modificar a propriedade ou as permissões de arquivos existentes dentro desses diretórios de token. Um atacante que seja membro do grupo token pode explorar essa vulnerabilidade quando um administrador executa um aplicativo PKCS#11 ou ferramenta administrativa que realize operações `chown` em arquivos dentro do diretório de token durante manutenção rotineira. Recomendações No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do Software Vulnerável e Versões Afetadas** Versões do Traefik anteriores a 2.11.35 e 3.6.7 **Descrição** O Traefik, um proxy reverso HTTP e balanceador de carga, possui um problema potencial na geração automática de seus certificados TLS ACME. O fast path ACME TLS-ALPN pode permitir que clientes não autenticados ocupem goroutines e descritores de arquivo indefinidamente quando o desafio TLS ACME está habilitado. Um cliente malicioso pode abrir muitas conexões, enviar um ClientHello mínimo com `acme-tls/1` e então parar de responder, levando a uma negação de serviço do ponto de entrada. A vulnerabilidade decorre da falta de timeouts e do fechamento adequado de conexão dentro do código de tratamento ACME TLS-ALPN, especificamente em `pkg/server/router/tcp/router.go`. Isso permite que um cliente esgote os recursos do servidor mantendo goroutines e descritores de arquivo abertos sem um limite definido. **Recomendações** Versões do Traefik anteriores a 2.11.35 devem ser atualizadas. Versões do Traefik anteriores a 3.6.7 devem ser atualizadas.

**Name of the Vulnerable Software and Affected Versions** openCryptoki versions 3.25.0 and 3.26.0 **Description** openCryptoki is a PKCS#11 library and tools for Linux and AIX. A heap buffer overflow exists in the `CKM ECDH AES KEY WRAP` implementation. An attacker with local access can cause out-of-bounds writes in the host process by providing a compressed EC public key and calling `C WrapKey`. This can result in heap corruption or a denial-of-service condition. **Recommendations** Update to a version of openCryptoki newer than 3.26.0.

**Nome do Software Vulnerável e Versões Afetadas** Versões do FreeRDP anteriores a 2.11.8 Versões do FreeRDP anteriores a 3.23.0 **Descrição** O FreeRDP, uma implementação livre do Protocolo de Área de Trabalho Remota, contém um problema de leitura fora dos limites no canal RDPGFX do cliente FreeRDP. Um servidor RDP malicioso pode explorar essa vulnerabilidade enviando uma Unidade de Dados de Protocolo (PDU) WIRE TO SURFACE 2 elaborada com um valor `bitmapDataLength` que excede os dados reais dentro do pacote. Isso pode resultar em vazamento de informações ou falhas no cliente quando um usuário se conecta a um servidor malicioso. A vulnerabilidade ocorre ao ler memória heap não inicializada. **Recomendações** Atualize para a versão 2.11.8 do FreeRDP ou posterior. Atualize para a versão 3.23.0 do FreeRDP ou posterior.