0Xmrma

**Name of the Vulnerable Software and Affected Versions** Docmost versions 0.70.0 through 0.70.2 **Description** An authorization bypass in this open-source collaborative wiki and documentation software exposes restricted child page titles and text snippets. This occurs through the public search endpoint ''/api/search/share-search'' for publicly shared content, allowing unauthenticated users to enumerate and retrieve content that should be hidden from public share viewers, resulting in a confidentiality breach. **Recommendations** Update to version 0.70.3.

**Name of the Vulnerable Software and Affected Versions** Docmost versions prior to 0.71.0 **Description** Improper neutralization of attachment URLs allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content. When another user views the page and activates the attachment link or icon, attacker-controlled JavaScript executes in the context of the Docmost origin. This is a Stored Cross-Site Scripting (XSS) issue, where a script is permanently stored on the target server and executed in the victim's browser. **Recommendations** Update to version 0.71.0.

**Name of the Vulnerable Software and Affected Versions** Docmost versions 0.3.0 through 0.70.x **Description** Improper authorization allows a low-privileged authenticated user to overwrite an attachment of another page within the same workspace. This occurs by providing a victim `attachmentId` to the endpoint '/api/files/upload'. This is a remote integrity issue that requires no interaction from the victim. **Recommendations** Update to version 0.71.0.

**Name of the Vulnerable Software and Affected Versions** listmonk versions 4.1.0 through 6.0.0 **Description** listmonk, a self-hosted newsletter and mailing list manager, has a session management issue. Previously issued authenticated sessions remain valid after sensitive account security changes, such as password reset or password change. This allows an attacker with a valid session cookie to maintain access to an account even after the victim changes or resets their password, weakening account recovery and session security. The issue occurs because existing sessions are not revoked after account credentials are updated. This impacts all authenticated users, including those with TOTP enabled. The vulnerability was reproduced on version 6.0.0. The application updates account credentials successfully, but existing active sessions are not revoked afterward. The password reset flow and authenticated profile update flow are affected. Relevant code areas include `cmd/auth.go`, `cmd/users.go`, and `internal/core/users.go`. **Recommendations** Upgrade to listmonk version 6.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** ecdsa versions prior to 0.19.2 **Description** The `ecdsa` package, a Python implementation of ECC, contains a flaw in its DER parsing functions. Specifically, `ecdsa.der.remove octet string()` incorrectly accepts truncated DER data where the declared length exceeds the actual buffer size. This can lead to `SigningKey.from der()` raising an internal `IndexError` instead of a clean rejection of malformed DER, potentially causing a denial of service when parsing untrusted DER private keys. A crafted DER input can trigger this issue. **Recommendations** Upgrade to ecdsa version 0.19.2 or later.

**Name of the Vulnerable Software and Affected Versions** Memray versions prior to 1.19.2 **Description** Memray, a memory profiler for Python, did not properly escape command line arguments when rendering them into generated HTML reports. This allowed attacker-controlled command line arguments to be inserted as raw HTML into the report. When a victim opens the generated report in a browser, this can lead to JavaScript execution. The issue affects reports generated by both `memray flamegraph` and `memray table` commands, with or without the `--no-web` option. An attacker who can influence the script name or command-line arguments of a profiled program can inject HTML/JavaScript into Memray-generated HTML reports. The root cause is the lack of HTML escaping when embedding process command line arguments into the generated flame graph or table report using Jinja. **Recommendations** Upgrade to Memray version 1.19.2. Avoid attaching Memray to untrusted processes until you have upgraded.