0Xkakash1

Name of the Vulnerable Software and Affected Versions: Nhost versions prior to 0.48.0 Description: Nhost's auth service OAuth provider callback flow includes the refresh token directly in the redirect URL as a query parameter. This can lead to exposure of the refresh token in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. The refresh token is one-time use, and these leak vectors are on infrastructure or services integrated by the application developer. The vulnerable code is located in `services/auth/go/controller/sign in provider callback get.go` within the `signinProviderProviderCallback` function (lines 257-261), where the refresh token is added as a query parameter to the redirect URL. The issue affects all OAuth provider flows (GitHub, Google, Apple, etc.). Recommendations: Update to version 0.48.0 or later.

**Name of the Vulnerable Software and Affected Versions** Nhost versions prior to 0.12.0 **Description** Nhost’s storage service’s file upload handler relies on the `Content-Type` header provided by the client without verifying the file’s actual MIME type. This allows an attacker to upload files with a manipulated MIME type, bypassing any restrictions based on MIME types configured on storage buckets. The vulnerable component is the `services/storage` service, specifically within the `getMultipartFile` function (lines 48-70) in the `upload files.go` file. The function skips MIME type detection if the client provides a `Content-Type` that is not `application/octet-stream`, directly using the client-provided value. This can lead to incorrect MIME type metadata associated with the uploaded file, potentially causing issues with how the file is handled by consuming systems. The vulnerable parameter is `Content-Type`. **Recommendations** Versions prior to 0.12.0 should be updated to version 0.12.0 or later. Always detect the MIME type from the file content using `mimetype.DetectReader`, disregarding the client-provided `Content-Type` header.

**Name of the Vulnerable Software and Affected Versions** H3 versions prior to 1.15.6 and versions 2.0.0 through 2.0.1-rc.14 **Description** The `createEventStream` function in H3 is susceptible to Server-Sent Events (SSE) injection due to a lack of newline sanitization within the `formatEventStreamMessage()` and `formatEventStreamComment()` functions. An attacker controlling any part of an SSE message field – `id`, `event`, `data`, or comment – can inject arbitrary SSE events to connected clients. The SSE protocol relies on newline characters as field delimiters and double newlines as event separators. The absence of newline sanitization allows attackers to inject new fields, events, manipulate reconnection behavior, and override the Last-Event-ID. This can lead to cross-user content injection, phishing attacks, event spoofing, denial-of-service through aggressive reconnection attempts, and manipulation of event replay on reconnection. The issue resides in `src/utils/internal/event-stream.ts`, lines 170-187. **Recommendations** Versions prior to 1.15.6 should be updated to version 1.15.6 or later. Versions 2.0.0 through 2.0.1-rc.14 should be updated to version 2.0.1-rc.15 or later.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions 3.6.0 and earlier SiYuan versions 3.5.9 and earlier **Description** SiYuan is a personal knowledge management system. The backend 'renderREADME' function uses 'lute.New()' without calling 'SetSanitize(true)', allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to 'innerHTML' without additional sanitization. A malicious package author can embed arbitrary JavaScript in their README, which executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables 'nodeIntegration: true' with 'contextIsolation: false', this cross-site scripting (XSS) escalates directly to full Remote Code Execution (RCE). The backend function affected is `renderREADME` located in `kernel/bazaar/package.go:635-645`. The frontend assignment occurs in `app/src/config/bazaar.ts:607`. The Electron configuration is found in `app/electron/main.js:422-426`. The issue was exploited through the Bazaar (community marketplace) by submitting a malicious package with a crafted README file. Attackers can leverage various HTML elements like `img`, `svg`, `details`, and `picture` to hide payloads. Exploitation can lead to full remote code execution, data theft, and the installation of persistent backdoors. **Recommendations** For versions 3.6.0 and earlier, enable Lute sanitization for README rendering by adding `luteEngine.SetSanitize(true)` to the `renderREADME` function in `kernel/bazaar/package.go`. For versions 3.6.0 and earlier, add client-side sanitization as a defense-in-depth measure by using DOMPurify to sanitize the HTML before assigning it to `innerHTML` in `app/src/config/bazaar.ts`. For versions 3.5.9 and earlier, enable Lute sanitization for README rendering by adding `luteEngine.SetSanitize(true)` to the `renderREADME` function in `kernel/bazaar/package.go`. For versions 3.5.9 and earlier, add client-side sanitization as a defense-in-depth measure by using DOMPurify to sanitize the HTML before assigning it to `innerHTML` in `app/src/config/bazaar.ts`.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions 3.5.9 and earlier SiYuan versions 3.6.0 and below **Description** SiYuan, a personal knowledge management system, is affected by a critical issue allowing for cross-site scripting (XSS) that can escalate to remote code execution (RCE). The Bazaar (community marketplace) renders package metadata fields, specifically 'displayName' and 'description', using template literals without proper HTML escaping. This allows a malicious package author to inject arbitrary HTML and JavaScript code into these fields. When any user browses the Bazaar page, this injected code automatically executes. Due to SiYuan's Electron configuration enabling `nodeIntegration: true` with `contextIsolation: false`, the XSS vulnerability directly escalates to full RCE on the victim's operating system, requiring no user interaction beyond opening the marketplace tab. The vulnerable code is located in `app/src/config/bazaar.ts:275-277` and `app/electron/main.js:422-426`. A proof of concept demonstrates the ability to execute arbitrary commands, such as launching 'calc.exe' or establishing a reverse shell, simply by browsing the Bazaar page. This vulnerability poses a significant supply-chain risk to the entire SiYuan user community. Attackers can potentially steal API tokens, session cookies, SSH keys, browser credentials, and arbitrary files, or install persistent backdoors and ransomware. The issue affects all supported platforms: Windows, macOS, and Linux. **Recommendations** Versions prior to 3.6.1 are vulnerable. Apply HTML escaping to all package metadata in template rendering in `bazaar.ts`. Implement server-side sanitization of metadata fields during the Bazaar index pipeline. Harden the Electron configuration by setting `nodeIntegration: false`, `contextIsolation: true`, and `sandbox: true`.

**Name of the Vulnerable Software and Affected Versions** ApostropheCMS versions 3.0.0 through 4.27.1 **Description** ApostropheCMS contains a flaw in the bearer token authentication middleware located in `@apostrophecms/express/index.js`. An incorrect MongoDB query allows incomplete login tokens – where password verification occurred but multi-factor authentication (MFA) requirements were not met – to be utilized as fully authenticated bearer tokens. This bypasses MFA for any ApostropheCMS deployment utilizing `@apostrophecms/login-totp` or custom `afterPasswordVerified` login requirements. The issue stems from the use of the `$ne: []` MongoDB operator in the query, which incorrectly matches tokens with unverified requirements. Additionally, a separate bug in `@apostrophecms/login/index.js` prevents the deletion of incomplete tokens, exacerbating the vulnerability. An attacker with a victim's username and password, but lacking their TOTP code, can exploit this flaw to gain full API access. The API endpoint **/api/v1/@apostrophecms/page** is accessible with the compromised bearer token. The vulnerable parameter is the bearer token itself, passed in the `Authorization` header. **Recommendations** Update to ApostropheCMS version 4.28.0 or later. Replace `$ne: []` with `$size: 0` in the bearer token query located in `@apostrophecms/express/index.js` (line 388). Replace `token.userId` with `token. id` in the token deletion logic within `@apostrophecms/login/index.js` (lines 728-729 and 735-736).

**Name of the Vulnerable Software and Affected Versions** SiYuan versions 3.6.0 and below SiYuan versions prior to 3.6.1 **Description** SiYuan is a personal knowledge management system. The mobile file tree component (`MobileFiles.ts`) renders notebook names using `innerHTML` without proper HTML escaping when processing `renamenotebook` WebSocket events. The desktop version (`Files.ts`) correctly utilizes `escapeHtml()` for the same operation. This allows an authenticated user with notebook renaming privileges to inject arbitrary HTML and JavaScript code, which will be executed on any mobile client displaying the file tree. The Electron environment is configured with `nodeIntegration: true` and `contextIsolation: false`, granting the injected JavaScript full access to Node.js functionalities. This escalates a stored cross-site scripting (XSS) issue to full remote code execution. The mobile layout is also used in the Electron desktop application when the window is narrow, making the issue exploitable on desktop as well. The backend API endpoint `POST /api/notebook/renameNotebook` is involved in this process, and the vulnerable code is located in `app/src/mobile/dock/MobileFiles.ts:77`. The backend component `kernel/api/notebook.go:104-116` sends unescaped names. **Recommendations** Versions prior to 3.6.1: Apply the same escaping used in the desktop version by replacing `innerHTML = data.data.name` with `innerHTML = escapeHtml(data.data.name)` in `MobileFiles.ts`. Versions prior to 3.6.1: Sanitize notebook names on the backend using a function like `util.EscapeHTML(name)` in `RenameBox()`. Versions prior to 3.6.1: As a long-term solution, harden the Electron configuration by setting `nodeIntegration: false`, `contextIsolation: true`, and `sandbox: true`.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions 3.6.0 and earlier SiYuan versions 3.5.9 and earlier **Description** SiYuan, a personal knowledge management system, has a flaw in its WebSocket endpoint ('/ws') that permits unauthenticated connections when specific URL parameters are used ('?app=siyuan&id=auth&type=auth'). This bypass, originally intended for the login page to maintain a live kernel connection, enables any external client, including malicious websites through cross-origin WebSocket connections, to connect and receive all server push events in real-time. These events expose sensitive document metadata, including document titles, notebook names, file paths, and all Create, Read, Update, and Delete (CRUD) operations performed by authenticated users. The absence of Origin header validation allows a malicious website to silently connect to a victim's local SiYuan instance and monitor their note-taking activity. The vulnerable component is located in the file `kernel/server/serve.go:728-731` within the `serveWebSocket()` function and its `HandleConnect` handler. **Recommendations** Versions 3.6.0 and earlier: Upgrade to version 3.6.1 or later to resolve the issue. Versions 3.5.9 and earlier: Upgrade to version 3.6.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dagu versions prior to 2.2.4 **Description** Dagu is a workflow engine with a built-in web user interface. When configured with HTTP Basic authentication (DAGU AUTH MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status, bypassing the authentication that protects the REST API. The issue stems from the `buildStreamAuthOptions()` function, which returns an authentication structure with `BasicAuthEnabled` set to true but `AuthRequired` defaulting to false. The authentication middleware allows unauthenticated requests when `AuthRequired` is false. Affected SSE endpoints include '/api/v1/events/dags', '/api/v1/events/dags/{fileName}', '/api/v1/events/dag-runs', '/api/v1/events/dag-runs/{name}/{dagRunId}', '/api/v1/events/dag-runs/{name}/{dagRunId}/logs', '/api/v1/events/queues', '/api/v1/events/docs-tree', and '/api/v1/events/docs/*'. An attacker can enumerate workflows, monitor execution in real-time, read execution logs, and map infrastructure. **Recommendations** Update to version 2.2.4 or later. Set `AuthRequired` to true for basic auth mode. Implement a session-token mechanism for basic-auth users to authenticate via the '?token=' query parameter.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.7 Parse Server versions prior to 8.6.33 **Description** Parse Server, a backend deployable on Node.js infrastructures, is affected by an issue where recovery codes for multi-factor authentication (MFA) via TOTP are not consumed after use. This allows an attacker who obtains a single recovery code to repeatedly authenticate as the affected user without the code being invalidated, undermining the intended single-use design and weakening the security of MFA-protected accounts. The issue arises when MFA via TOTP is enabled for a user account, and Parse Server generates two single-use recovery codes intended as a fallback when a TOTP token is unavailable. **Recommendations** Versions prior to 9.6.0-alpha.7 should be updated to version 9.6.0-alpha.7 or later. Versions prior to 8.6.33 should be updated to version 8.6.33 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.10 Parse Server versions prior to 8.6.36 **Description** Parse Server is an open-source backend deployable on infrastructures running Node.js. An attacker with access to the master key can inject malicious SQL code through crafted field names used in query constraints when Parse Server is configured with PostgreSQL. The field name within a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, enabling manipulation of the SQL query. This SQL injection bypasses Parse Server's abstraction layer and operates directly at the database level. The issue affects deployments utilizing PostgreSQL. The API endpoint is not explicitly mentioned. The vulnerable parameter is the field name used in the `$regex` query operator. **Recommendations** Update Parse Server to version 9.6.0-alpha.10 or later. Update Parse Server to version 8.6.36 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.34 Parse Server versions prior to 9.6.0-alpha.8 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, is affected by a user enumeration issue. The `/verificationEmailRequest` API endpoint returns different error responses based on whether an email address is registered, already verified, or non-existent. An attacker can send requests with various email addresses and analyze the error codes to determine which email addresses are associated with existing user accounts. This issue impacts any Parse Server deployment where email verification is enabled (`verifyUserEmails: true`). A fix introduces the `emailVerifySuccessOnInvalidEmail` option, which, when enabled, returns a generic success response for all verification email requests, preventing differentiation between valid, verified, and non-existent email addresses. The fix also includes strengthened input validation for the `resetPasswordSuccessOnInvalidEmail` option and security checks to warn when enumeration mitigation is disabled. **Recommendations** Parse Server versions prior to 8.6.34: Upgrade to version 8.6.34 or later. Parse Server versions prior to 9.6.0-alpha.8: Upgrade to version 9.6.0-alpha.8 or later.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 3.5.10 **Description** SiYuan is a personal knowledge management system. The SVG sanitizer (SanitizeSVG) in versions prior to 3.5.10 does not block SVG animation elements (<animate>, <set>), allowing attackers to dynamically set attributes to dangerous values at runtime, bypassing static sanitization. This enables the injection of executable JavaScript into the unauthenticated `/api/icon/getDynamicIcon` endpoint (type=8), resulting in a reflected Cross-Site Scripting (XSS) condition. This is a bypass of a previous fix. The vulnerable parameter is `type`. **Recommendations** Update to version 3.5.10 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.5.2-alpha.6 Parse Server versions prior to 8.6.19 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, contains a flaw in its validation process for protected fields. The validation only examines top-level query keys, allowing authenticated users to bypass the protection by embedding query constraints on protected fields within logical operators. This enables unauthorized access and extraction of values from protected fields, as default protected fields exist in all Parse Server deployments. **Recommendations** Update to Parse Server version 9.5.2-alpha.6 or later. Update to Parse Server version 8.6.19 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.12 Parse Server versions prior to 9.5.1-alpha.1 **Description** A logic flaw in the `requestKeywordDenylist` security control allows bypassing restrictions by placing nested objects or arrays before prohibited keywords in the request payload. The issue stems from a bug that halts scanning of sibling keys after encountering the first nested value, impacting both default and custom `requestKeywordDenylist` entries. This affects all Parse Server deployments where the `requestKeywordDenylist` is enabled. The fix involves replacing the recursive object scanner with an iterative stack-based traversal to process all nested values without prematurely exiting the scan loop. **Recommendations** Versions prior to 8.6.12: Update to version 8.6.12 or later. Versions prior to 9.5.1-alpha.1: Update to version 9.5.1-alpha.1 or later. Use a Cloud Code `beforeSave` trigger to validate incoming data for prohibited keywords across all classes.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.14 Parse Server versions prior to 9.5.2-alpha.1 **Description** Parse Server, an open-source backend deployable on Node.js infrastructures, contains a NoSQL injection issue. An unauthenticated attacker can inject MongoDB query operators through the `token` field in the password reset and email verification resend endpoints. The `token` value is passed to database queries without type validation, potentially allowing extraction of password reset and email verification tokens. Deployments using MongoDB with email verification or password reset enabled are affected. When `emailVerifyTokenReuseIfValid` is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox access. The affected API endpoints are the password reset and email verification resend endpoints. **Recommendations** Versions prior to 8.6.14 should be updated to version 8.6.14 or later. Versions prior to 9.5.2-alpha.1 should be updated to version 9.5.2-alpha.1 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.5.2-alpha.13 Parse Server versions prior to 8.6.26 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, contains a flaw in its LDAP authentication adapter. The issue stems from the direct interpolation of user-supplied input (`authData.id`) into LDAP Distinguished Names (DN) and group search filters without proper escaping of special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and bypass group membership checks, potentially leading to privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability impacts Parse Server deployments utilizing the LDAP authentication adapter with group-based access control. **Recommendations** Update to Parse Server version 9.5.2-alpha.13 or later. Update to Parse Server version 8.6.26 or later.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 3.5.10 **Description** SiYuan is a personal knowledge management system susceptible to a reflected cross-site scripting (XSS) condition. The SVG sanitizer, `SanitizeSVG`, inadequately checks `href` attributes for the 'javascript:' prefix. Specifically, the use of ASCII tab (&#9;), newline (&#10;), or carriage return (&#13;) characters within the 'javascript:' string bypasses the prefix check. This allows for the injection of executable JavaScript code. The vulnerable API endpoint is `/api/icon/getDynamicIcon`, and the issue stems from insufficient sanitization of input provided to the `href` attribute. This is a second bypass of a previous fix. **Recommendations** Update SiYuan to version 3.5.10 or later.