4Rdr

**Name of the Vulnerable Software and Affected Versions** Wallos versions prior to 4.6.2 **Description** Wallos is a self-hostable personal subscription tracker. Versions prior to 4.6.2 contain an issue where the `url` parameter can be exploited to retrieve local system files. **Recommendations** Update to version 4.6.2 or later.

Name of the Vulnerable Software and Affected Versions: OPNsense version 25.1 Description: OPNsense version 25.1 contains an authenticated command injection issue in the Bridge Interface Edit endpoint (interfaces bridge edit.php). The `span` POST parameter is concatenated into a system-level command without proper sanitization, allowing an administrator to inject arbitrary shell operators and payloads. Successful exploitation could lead to remote code execution with the privileges of the web service, potentially resulting in full system compromise or lateral movement. This is due to inadequate input validation and improper handling of user-supplied data in backend command invocations. Recommendations: Update to a newer version that contains a fix for this issue. As a temporary workaround, restrict access to the `interfaces bridge edit.php` endpoint. Sanitize or escape the `span` POST parameter before using it in system-level commands.

Name of the Vulnerable Software and Affected Versions: versions prior to 1.7.1 Description: A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified, requiring authenticated admin access for exploitation. The vulnerability exists in the `r` parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the `/summary` endpoint as well as POST requests to specific Wicket interface endpoints. Recommendations: Update to a version prior to 1.7.1. Restrict access to the `r` parameter in the `/summary` endpoint. Limit authenticated admin access to reduce the potential impact of exploitation.

Name of the Vulnerable Software and Affected Versions: diskover-web version 2.3.0 Description: The application does not properly sanitize user-supplied input in several configuration fields within the administrative settings interface, leading to stored cross-site scripting (XSS). Specifically, the following parameters are vulnerable: `ES HOST`, `ES INDEXREFRESH`, `ES PORT`, `ES SCROLLSIZE`, `ES TRANSLOGSIZE`, `ES TRANSLOGSYNCINT`, `EXCLUDES FILES`, `FILE TYPES[]`, `INCLUDES DIRS`, `INCLUDES FILES`, and `TIMEZONE`. Malicious payloads submitted through these parameters are stored and executed when an administrator views or edits the settings page. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: diskover-web version 2.3.0 Description: The software is susceptible to multiple reflected cross-site scripting (XSS) flaws within its web interface. Unsanitized GET parameters, including `maxage`, `maxindex`, `index`, `path`, `q` (query), and `doctype`, are directly incorporated into the HTML response. This allows attackers to inject and execute arbitrary JavaScript when a victim accesses a specially crafted URL. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: readarr version 0.4.15.2787 Description: A SQL Injection issue exists in readarr that allows attackers to inject and execute arbitrary SQL commands against the backend SQLite database. The `/api/v1/wanted/cutoff` API endpoint does not properly sanitize user-supplied input to the `sortKey` parameter. Exploitation was confirmed using sqlmap via stacked queries, demonstrating the ability to run arbitrary SQL statements. A query utilizing SQLite's `RANDOMBLOB()` and `HEX()` functions was executed to simulate a time-based payload, indicating extensive control over database interactions. Recommendations: Update to a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: IPFire version 2.29 Description: The Calamaris log exporter CGI script (`/cgi-bin/logs.cgi/calamaris.dat`) does not properly sanitize user-supplied input before using it in shell commands. This allows a remote, unauthenticated attacker to inject arbitrary OS commands by embedding shell metacharacters in the following parameters: `BYTE UNIT`, `DAY BEGIN`, `DAY END`, `HIST LEVEL`, `MONTH BEGIN`, `MONTH END`, `NUM CONTENT`, `NUM DOMAINS`, `NUM HOSTS`, `NUM URLS`, `PERF INTERVAL`, `YEAR BEGIN`, and `YEAR END`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IPFire version 2.29 Description: The DNS management interface (dns.cgi) in IPFire fails to properly sanitize user-supplied input in the `NAMESERVER`, `REMARK`, and `TLS HOSTNAME` query parameters. This results in a reflected cross-site scripting (XSS) issue. Recommendations: Ensure proper input validation and sanitization are implemented for the `NAMESERVER`, `REMARK`, and `TLS HOSTNAME` query parameters in the dns.cgi interface.

Name of the Vulnerable Software and Affected Versions: IPFire version 2.29 Description: The web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters, including PROT, SRC PORT, TGT PORT, dnatport, key, ruleremark, src addr, std net tgt, and tgt addr. This allows an authenticated administrator to inject persistent JavaScript. The resulting stored cross-site scripting (XSS) payload is executed when another administrator views the firewall rules page, potentially enabling session hijacking and unauthorized actions within the interface. Exploitation requires high-privilege GUI access and is considered low complexity. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Shaarli versions prior to 0.15.0 Description: Shaarli is a minimalist bookmark manager and link sharing service. Input strings in the cloud tag page are not properly sanitized, allowing premature closure of the `</title>` tag. This results in a reflected Cross-Site Scripting (XSS) issue. Recommendations: Update to version 0.15.0 or later.

**Name of the Vulnerable Software and Affected Versions** DbGate versions 6.4.3-premium-beta.5 and below **Description** DbGate is vulnerable to a directory traversal flaw. The `file` parameter is not properly restricted to the intended uploads directory. This allows manipulation of the endpoint that lists files within the upload directory to access arbitrary files on the system. By supplying a crafted path to the `file` parameter, an attacker can read files outside the upload directory, potentially exposing sensitive system-level data. **Recommendations** Update to DbGate version 6.4.3-beta.8 or later.

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.0.0 **Description** Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. A stored cross-site scripting issue can be exploited by uploading a file with JavaScript code embedded in the filename. The script is then parsed after upload and every time someone opens the upload list. Prior to version 2.0.0, all authenticated users could see and modify all resources, even if end-to-end encrypted, due to the lack of a user permission system. **Recommendations** For versions prior to 2.0.0, update to version 2.0.0 to resolve the issue. As a temporary workaround, consider disabling end-to-end encryption until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Navidrome versions 0.55.0 through 0.55.2 **Description** The issue arises due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. The vulnerability affects the SQLite database and allows an unauthenticated attacker to execute arbitrary SQL commands, extract or manipulate sensitive data, and potentially escalate privileges or disrupt service availability. **Recommendations** For Navidrome versions 0.55.0 through 0.55.2, update to version 0.56.0 to resolve the issue. As a temporary workaround, consider restricting access to the `/api/artist` API endpoint to minimize the risk of exploitation. Avoid using the `role` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: DumbDrop versions prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b Description: The issue is related to a DOM cross-site scripting vulnerability in the upload functionality. A user could be tricked into uploading a file with a malicious payload. Recommendations: For versions prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b, update to a version that includes the fix commit db27b25372eb9071e63583d8faed2111a2b79f1b to resolve the issue. As a temporary workaround, consider restricting the upload functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.17 **Description** The issue is related to a reflected XSS vulnerability in GLPI, a free asset and IT management software package. An unauthenticated user can exploit this vulnerability by providing a malicious link to a GLPI technician. This can allow a remote attacker to conduct a cross-site scripting (XSS) attack. The vulnerability is due to the lack of protection of the web page structure. **Recommendations** For versions prior to 10.0.17, upgrade to version 10.0.17 to resolve the issue. As a temporary workaround, consider restricting access to links from unauthenticated users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ibexa RichText Field Type versions prior to 4.6.10 **Description** The validator for the RichText fieldtype blocklists `javascript:` and `vbscript:` in links to prevent XSS, but this can be circumvented using upper case, leaving other options open. Content editing permissions for RichText content are required to exploit this issue, which typically means Editor role or higher. The fix implements an allowlist instead, which allows only approved link protocols, and the new check is case insensitive. **Recommendations** For versions prior to 4.6.10, update to version 4.6.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the RichText fieldtype until a patch is applied. Avoid using the `javascript:` and `vbscript:` protocols in links to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ibexa Admin UI Bundle (affected versions not specified) **Description** The file upload widget in the Ibexa Admin UI Bundle is vulnerable to XSS payloads in filenames. Access permission to upload files is required, which is typically only granted to authenticated editors and administrators. The vulnerability is not persistent, meaning the payload is only executed during the upload, and an attacker would need to trick an editor or administrator into uploading a file with a malicious filename. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tracks versions prior to 2.7.1 **Description** The issue allows for reflected cross-site scripting, which enables the execution of malicious JavaScript in the context of a user's browser if that user clicks on a malicious link. This can lead to phishing attacks that could result in credential theft. **Recommendations** For versions prior to 2.7.1, update to version 2.7.1 to resolve the issue. As a temporary workaround, consider avoiding clicking on links from untrusted sources to minimize the risk of exploitation.