Restriction

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.2.1 **Description** Vikunja is a self-hosted task management platform. Prior to version 2.2.1, the `DownloadFile` and `DownloadFileWithHeaders` functions within the `pkg/modules/migration/helpers.go` file do not have Server-Side Request Forgery (SSRF) protection. During Todoist or Trello migrations, file attachment URLs from the third-party API responses are directly used by these functions. This allows an attacker to make the Vikunja server request internal network resources and return the response as a downloadable task attachment. The vulnerable functions are `DownloadFile` and `DownloadFileWithHeaders`. **Recommendations** Update to version 2.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.57 Parse Server versions prior to 9.6.0-alpha.48 **Description** An authenticated user can modify server-generated session fields, such as `expiresAt` and `createdWith`, when updating their own session through the REST API. This bypasses the server’s session lifetime policy, potentially making a session permanent. The issue affects the ability to manage session duration, allowing for extended or indefinite session access. **Recommendations** Upgrade to Parse Server version 8.6.57 or later. Upgrade to Parse Server version 9.6.0-alpha.48 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.2.1 **Description** Vikunja is a self-hosted task management platform. The `GET /api/v1/projects/:project/webhooks` API endpoint exposes BasicAuth credentials (`basic auth user` and `basic auth password`) in plaintext to users with read access to the project. The HMAC `secret` field is masked, but the BasicAuth fields were not, allowing read-only collaborators to potentially steal credentials used for authenticating external webhook receivers. **Recommendations** Update to version 2.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.2.1 **Description** Vikunja is a self-hosted task management platform. A flaw exists in the `DownloadImage` function within `pkg/utils/avatar.go` where insufficient Server-Side Request Forgery (SSRF) protection is applied when downloading user avatar images from the OpenID Connect `picture` claim URL. This allows an attacker controlling their OpenID Connect profile picture URL to potentially force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints, bypassing existing SSRF protections applied to the webhook system. **Recommendations** Update to version 2.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.2.2 **Description** Vikunja is a self-hosted task management platform. A flaw exists in the `LinkSharing.ReadAll()` method where authenticated users with link share access can list all link shares for a project, including their secret hashes. The `ReadAllWeb` handler bypasses access checks by not calling `CanRead()`, allowing an attacker with read-only link share access to retrieve hashes for write or admin link shares within the same project. This can lead to escalating privileges to full admin access. The vulnerable function is `LinkSharing.ReadAll()`. The affected API endpoint is `ReadAllWeb`. **Recommendations** Update to version 2.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.2.1 **Description** Vikunja is a self-hosted task management platform. A flaw exists where the `TaskAttachment.ReadOne()` function queries attachments using only the ID, disregarding the task ID from the URL. The permission check in `CanRead()` verifies access to the task in the URL, but `ReadOne()` can load attachments from other tasks. This allows authenticated users to potentially download or delete any attachment by manipulating the task ID. Attachment IDs are sequential integers, simplifying the process of identifying them. The function `TaskAttachment.ReadOne()` is vulnerable. **Recommendations** Update to version 2.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.2.1 **Description** Vikunja is a self-hosted task management platform. Before version 2.2.1, the API, when returning tasks, included complete task objects in the `related tasks` field without verifying if the user had permission to view the projects those related tasks belonged to. This allowed an authenticated user with access to a task with cross-project relationships to obtain details—including title, description, due dates, priority, percent completion, and project ID—of tasks in projects they were not authorized to access. The API endpoint responsible for returning tasks populates the `related tasks` field with sensitive information. The vulnerable parameter is `related tasks`. **Recommendations** Upgrade to version 2.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. The `plugin/Permissions/setPermission.json.php` API endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint lacks CSRF token validation, and the application explicitly sets `session.cookie samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an administrator, silently grants arbitrary permissions to the attacker's user group, potentially escalating the attacker to near-admin access. **Recommendations** Versions prior to and including 26.0 should be updated when a patched version becomes available.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. A user with the "Videos Moderator" permission can escalate privileges to perform full video management operations, including ownership transfer and deletion of any video, despite the permission being documented as only allowing video publicity changes. This is due to an asymmetric authorization boundary where `Permissions::canModerateVideos()` is used for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership. This allows exploitation through a two-step ownership-transfer-then-delete chain. The vulnerable function is `Permissions::canModerateVideos()`. **Recommendations** Update to a version beyond 26.0.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. The CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string as the default key. When the CDN plugin is enabled and the key is not configured, the key validation check is bypassed. This allows unauthenticated attackers to modify the full CDN configuration, including CDN URLs, storage credentials, and the authentication key itself, via mass-assignment through the `par` request parameter. **Recommendations** Update to a version after 26.0.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform susceptible to a SQL injection flaw. The `Subscribe::save()` method within `objects/subscribe.php` directly incorporates the `this->users id` property into an SQL INSERT query without proper sanitization or parameterized binding. This property is sourced from the `$ POST['user id']` parameter, accessible through both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can leverage this to inject arbitrary SQL code, potentially extracting sensitive data such as password hashes, API keys, and encryption salts. The vulnerable parameter is `user id`. The API endpoint involved is `subscribe.php`. **Recommendations** Update to a version beyond 26.0.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. The standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that allows an attacker to redirect token verification requests to a server they control. By returning a specific response (`{"error": false}`), an attacker can bypass authentication and gain unauthenticated control over any live stream on the platform. This control includes the ability to drop active publishers, start or stop recordings, and probe stream existence. The commit `388fcd57dbd16f6cb3ebcdf1d08cf2b929941128` contains a patch to address this issue. **Recommendations** Versions up to and including 26.0 should be updated to commit `388fcd57dbd16f6cb3ebcdf1d08cf2b929941128`.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. The `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution. The vulnerable component is the `ImageGallery::saveFile()` function. **Recommendations** Upgrade to commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. The restreamer endpoint constructs a log file path by embedding user-controlled `users id` and `liveTransmitionHistory id` values from the JSON request body without sanitization. This log file path is then concatenated directly into shell commands passed to the `exec()` function, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. The vulnerability lies in the improper handling of user-supplied input when constructing shell commands. **Recommendations** Update to Commit 99b865413172045fef6a98b5e9bfc7b24da11678.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. The `objects/pluginRunDatabaseScript.json.php` API endpoint accepts a `name` parameter via POST and passes it to the `Plugin::getDatabaseFileName()` function without proper path traversal sanitization. This allows an authenticated administrator, or an attacker via Cross-Site Request Forgery (CSRF), to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. **Recommendations** Update to a version beyond 26.0.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. The `remindMe.json.php` endpoint passes the `$ REQUEST['live schedule id']` variable through multiple functions without proper sanitization. This ultimately leads to direct concatenation of the variable into a SQL `LIKE` clause within the `Scheduler commands::getAllActiveOrToRepeat()` function. While some intermediate functions apply `intval()` to local copies of the variable, the original tainted variable remains unchanged. This allows an authenticated user to perform time-based blind SQL injection to extract arbitrary database contents. **Recommendations** Update AVideo to a version newer than 26.0.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 26.1 **Description** AVideo is an open source video platform. Versions up to and including 26.0 lack authentication and authorization checks on the `plugin/AD Server/reports.json.php` endpoint. This allows unauthenticated attackers to extract ad campaign analytics data, including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (`reports.php`) and CSV export (`getCSV.php`) correctly enforce `User::isAdmin()`, but the JSON API was left unprotected. **Recommendations** Update AVideo to version 26.1 or later.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 26.1 **Description** AVideo is an open source video platform. Versions up to and including 26.0 have an issue in the password recovery endpoint at `objects/userRecoverPass.php`. This endpoint performs user existence and account status checks before validating the captcha. An unauthenticated attacker can enumerate valid usernames and determine account status (active, inactive, or banned) without solving a captcha by observing distinct JSON error responses. The vulnerable functionality lies in the order of operations performed by the `objects/userRecoverPass.php` script. **Recommendations** Update AVideo to version 26.1 or later.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** A flaw exists in the order of operations during sanitization of the user profile "about" field. This allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The `xss esc()` function entity-encodes input before the `strip specific tags()` function can identify and remove dangerous HTML tags. Subsequently, the `html entity decode()` function reverses the encoding on output, restoring the original malicious HTML. **Recommendations** Update to a version after 26.0.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. The `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension, including `.php`. Providing an invalid `resolution` parameter triggers an early `die()` via `forbiddenPage()` before the temporary file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at `videos/cache/tmpFile/`. The function `forbiddenPage()` is involved in the process. **Recommendations** Versions prior to and including 26.0 should be updated to a version containing commit 6da79b43484099a0b660d1544a63c07b633ed3a2. As a temporary workaround, restrict access to the `objects/aVideoEncoder.json.php` file.