Adrgs

**Name of the Vulnerable Software and Affected Versions** react-router versions 7.0.0 through 7.14.x @remix-run/server-runtime versions 2.10.0 through 2.17.4 **Description** Certain crafted requests can cause unbounded path expansion in the " manifest" endpoint, leading to disproportionate server resource consumption. This results in response time degradation or service unavailability for end users. This issue affects React Router Framework Mode applications and Remix applications, but does not impact those using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter`/`<RouterProvider>`). **Recommendations** Update react-router to version 7.15.0. Update @remix-run/server-runtime to version 2.17.5.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.38.3 **Description** The `removeSecrets()` function in the server SDK fails to mask datasource configuration fields unless their schema type is `DatasourceFieldType.PASSWORD`. Because the Snowflake integration defines the `privateKey` field as `SENSITIVE LONGFORM`, it is skipped by the filter. An authenticated user with BASIC permissions and any app role can access the '/api/datasources/:datasourceId' endpoint to retrieve the full Snowflake PEM (Privacy Enhanced Mail) private key in plaintext. **Recommendations** Update to version 3.38.3.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.39.0 **Description** The Text component in this open-source low-code platform renders markdown by assigning the output of the `marked.parse(markdown)` function directly to `innerHTML` without using a sanitizer. This creates a stored Cross-Site Scripting (XSS) sink, where XSS is a flaw that allows an attacker to inject malicious scripts into web pages viewed by other users. Any column bound to a Text component in Markdown mode can be exploited by any basic application user who has write permissions on the underlying table. **Recommendations** Update to version 3.39.0.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.39.0 **Description** The `fetchToken()` function in the OAuth2 SDK performs a POST request to a URL provided by the builder using `node-fetch`. This process bypasses the `isBlacklisted` check used by all other outbound fetch paths in the codebase. Additionally, the Joi schema for the OAuth2 URL lacks restrictions on the scheme or host. **Recommendations** Update to version 3.39.0.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.39.0 **Description** An issue exists in the open-source low-code platform where the '/api/public/v1/roles/assign' endpoint is guarded by the `builderOrAdmin` middleware. This middleware allows any user who is a builder for the app ID specified in the `x-budibase-app-id` header to pass, including both global builders and workspace-scoped builders. The controller then spreads the request body into the SDK call, allowing the SDK to grant `builder.global=true` or `admin.global=true` to any user IDs provided by the caller. This enables a workspace-scoped builder with an API key to promote themselves or other users to global admin, resulting in tenant-wide privilege escalation from an app-level role. This is available to users with an Enterprise license that enables the `EXPANDED PUBLIC API` feature. **Recommendations** Update to version 3.39.0.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.38.2 **Description** An authorization bypass exists in the SCIM router within `packages/worker/src/api/routes/global/scim.ts`. The router only utilizes the `requireSCIM` and `doInScimContext` middlewares, failing to implement a role check. Consequently, any authenticated user, including those with the BASIC role or workspace-scoped builders, can access SCIM endpoints to perform Create, Read, Update, and Delete (CRUD) operations on every user and group within the tenant, potentially allowing them to delete administrators or hijack accounts. **Recommendations** Update to version 3.38.2.

**Name of the Vulnerable Software and Affected Versions** pyLoad versions prior to 0.5.0b3.dev100 **Description** An issue exists where the `packages.js` template interpolates stored link URLs into a template literal within single-quoted HTML and writes the result to the DOM using the `$(div).html(html)` function. Because no escaping occurs between the API value and `innerHTML`, an attacker can submit a package link containing a single quote and an event handler to break out of the attribute and execute arbitrary JavaScript in the browser of any operator who opens the downloads view. This is further enabled by the lack of a Content Security Policy (CSP) to restrict inline scripts or event handlers. Technical details include: - **API Endpoints**: `/api/get package data` (returns stored URLs), `/api/add package` (stores attacker-supplied links), and `/flash/add` (allows unauthenticated network attackers to reach the same sink when ClickNLoad is enabled). - **Vulnerable Parameters or Variables**: `link.url`, `link.name`, `link.statusmsg`, `link.error`, `link.format size`, `link.plugin`, `link.icon`, and `link.id`. **Recommendations** Update to version 0.5.0b3.dev100. As a temporary mitigation, restrict access to the `/api/add package` and `/flash/add` endpoints to trusted users only. Implement a strict Content Security Policy (CSP) such as `default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'` to block inline event handlers.

**Name of the Vulnerable Software and Affected Versions** Gotenberg versions prior to 8.32.0 **Description** Anonymous callers can access the '/forms/chromium/convert/url' and '/forms/chromium/screenshot/url' endpoints using the `url` parameter with the `file:///tmp/` scheme. While a deny-list exists to prevent arbitrary file access, it intentionally exempts the `/tmp/` directory to allow certain routes to load local assets. However, the URL routes fail to implement the `AllowedFilePrefixes` guard, which is intended to scope these reads. This allows an attacker to enumerate the `/tmp/` directory and read raw source files of other concurrent conversion requests, such as uploaded HTML, Markdown, or Office documents, which are then returned as rendered PDF output. This can lead to cross-tenant document exfiltration in multi-tenant deployments. **Recommendations** Update to version 8.32.0. As a temporary workaround, restrict access to the '/forms/chromium/convert/url' and '/forms/chromium/screenshot/url' endpoints to trusted users only.

**Name of the Vulnerable Software and Affected Versions** Gotenberg versions prior to 8.32.0 **Description** A DNS rebinding issue exists in the `FilterOutboundURL` function. The software resolves a hostname to check it against a private-address deny-list but discards the resolved addresses. Because Chromium performs its own independent DNS resolution when navigating to a URL, an attacker controlling a hostname with a short Time to Live (TTL) can return a public IP during the initial check and a private IP during the actual connection. This creates a timing window between the check performed by the `Fetch.requestPaused` handler and the TCP connection. Consequently, an unauthenticated attacker can bypass the deny-list to access internal HTTP services on the loopback interface, cloud metadata endpoints, or other private-network addresses, receiving the rendered internal response as a PDF. **Recommendations** Update to version 8.32.0. As a temporary workaround, restrict access to the network or use the `--chromium-host-resolver-rules` flag to manually map hostnames to specific IPs.

**Name of the Vulnerable Software and Affected Versions** Gotenberg versions prior to 8.32.0 **Description** Six API endpoints ('/pdfengines/merge', '/pdfengines/split', '/libreoffice/convert', '/chromium/convert/url', '/chromium/convert/html', and '/chromium/convert/markdown') allow anonymous callers to read PDF files from the container filesystem. The issue occurs because these endpoints do not properly validate the `stampExpression` and `watermarkExpression` variables when no file is uploaded, but the `stampSource` or `watermarkSource` variables are set to 'pdf'. This allows an attacker to specify an arbitrary file path, which is then processed by the pdfcpu tool and returned to the caller as a composite PDF. This can be used to access sensitive PDF documents that the Gotenberg process has permissions to read, including those in bind-mounted host directories. **Recommendations** Update to version 8.32.0. As a temporary workaround, restrict access to the affected API endpoints to trusted users only.

**Name of the Vulnerable Software and Affected Versions** Gotenberg versions prior to 8.32.0 **Description** A flaw in the webhook middleware allows an anonymous caller to crash the process. The middleware spawns a goroutine that retains a reference to the `echo.Context` after the synchronous handler returns `ErrAsyncProcess` and the context is recycled back to the `sync.Pool`. If a concurrent request claims this recycled context and calls `c.Reset()`, the store is cleared. When the webhook goroutine subsequently reaches the `hardTimeoutMiddleware` function, an unchecked type assertion on a nil store entry for the `logger` variable causes a panic outside of any `recover()` scope, leading to a process crash. This can be triggered by a stress of approximately 24 webhook requests and 60 `GET /version` requests. **Recommendations** Update to version 8.32.0. As a temporary workaround, restrict access to the webhook path to authorized users only to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.2 **Description** An unauthenticated SQL injection exists in the `BuiltinCaptcha::garbageCollector()` and `BuiltinCaptcha::saveCaptcha()` methods. The issue occurs when unsanitized User-Agent headers are interpolated into DELETE and INSERT queries. Unauthenticated attackers can exploit the ' /api/captcha' endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, which allows for the extraction of sensitive data such as user credentials, admin tokens, and SMTP credentials from the database. Over 1,200 potentially affected devices have been identified. **Recommendations** Update to version 4.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.2 **Description** An improper restriction of excessive authentication attempts exists in the "/admin/check" endpoint. This endpoint accepts arbitrary `user-id` parameters without session binding or rate limiting. Unauthenticated attackers can bypass two-factor authentication and gain full administrative access by submitting POST requests with sequential token values to brute-force a user's six-digit TOTP (Time-based One-Time Password, a temporary code generated by an app) code. **Recommendations** Update to version 4.1.2 or later. Restrict access to the "/admin/check" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.2 **Description** A path traversal issue exists in the `deleteClientFolder()` function. This allows administrators with the `INSTANCE DELETE` permission to delete arbitrary directories. An attacker can achieve this by submitting traversal sequences in the `client` URL parameter to recursively delete directories outside the intended client folder scope. **Recommendations** Update to version 4.1.2 or later. As a temporary workaround, restrict the `INSTANCE DELETE` permission to only highly trusted administrators.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.2 **Description** An issue exists in the `setTokenData()` function of the `CurrentUser` class that allows authenticated attackers to execute arbitrary SQL commands. This occurs by injecting malicious OAuth token claims. Specifically, attackers using Azure AD accounts that contain SQL metacharacters in their display names or JSON Web Tokens (JWT)—a compact, URL-safe means of representing claims to be transferred between two parties—can break out of string literals to execute unauthorized database queries. **Recommendations** Update to version 4.1.2 or later. As a temporary workaround, restrict the use of the `setTokenData()` function or limit OAuth token claims from untrusted providers until the update is applied.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.2 **Description** An information disclosure issue exists in the `getIdFromSolutionId()` and `getFaqBySolutionId()` methods, which lack proper permission filtering. This allows unauthenticated attackers to enumerate restricted FAQ entries by sequentially iterating solution IDs via the '/solution id {id}.html' endpoint. When a valid ID is requested, the server performs a 301 redirect to a URL containing the FAQ's category, internal ID, language, and a slugified version of the title. This sensitive metadata is leaked through the redirect's `Location` header, page canonical links, social sharing URLs, and hidden form fields, even if the main content body is restricted. The `getFaqBySolutionId()` method further exacerbates this by using a fallback query that explicitly bypasses permission filters. **Recommendations** Update to version 4.1.2 or later. As a temporary workaround, restrict access to the '/solution id {id}.html' endpoint to authenticated users with appropriate permissions.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.76 Parse Server versions prior to 9.9.0-alpha.2 **Description** A race condition exists in the MFA SMS one-time password (OTP) login path. This allows two concurrent requests to the '/login' endpoint using the same OTP to both succeed and receive valid session tokens, which violates the single-use requirement of the OTP. For this to be exploited, an attacker must already have the victim's password and intercept the active SMS OTP through methods such as SIM swapping, network mirroring, or phishing relays, and then execute the request simultaneously with the legitimate user. **Recommendations** Update to version 8.6.76. Update to version 9.9.0-alpha.2. Disable SMS MFA and use TOTP instead. Implement a rate limiter on the '/login' endpoint to reduce concurrent-request burst capacity.

**Name of the Vulnerable Software and Affected Versions** Admidio versions prior to 5.0.9 **Description** An unauthenticated attacker can execute arbitrary JavaScript in a user's browser via reflected Cross-Site Scripting (XSS). The issue occurs in the 'system/msg window.php' endpoint, which accepts `message id` and `message var1` as GET parameters. The application processes `message var1` using `htmlspecialchars()`, which does not encode square brackets. Subsequently, the `Language::prepareTextPlaceholders()` function converts these square brackets into HTML angle brackets, resulting in executable markup. This allows an attacker to bypass encoding and run scripts in the context of the Admidio origin, potentially leading to session cookie theft or unauthorized administrative operations. **Recommendations** Update to version 5.0.9. As a temporary workaround, restrict access to the 'system/msg window.php' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Admidio versions prior to 5.0.9 **Description** A logic error in the two-factor authentication (2FA) reset process inverts the authorization check. This allows non-admin users to remove the Time-based One-Time Password (TOTP) configuration of other users, including administrators, while preventing them from removing their own. Specifically, a group leader with profile edit rights on an admin account can strip that admin's 2FA, reducing the account security to password-only authentication. The issue exists in the 'modules/profile/two factor authentication.php' file, where an inverted condition in the authorization check fails to block non-admins from resetting other users' 2FA. The vulnerable endpoint is '/adm program/modules/profile/two factor authentication.php' using the `mode` and `user uuid` parameters. **Recommendations** Update to version 5.0.9. As a temporary workaround, restrict the `hasRightEditProfile()` permission for group leaders to minimize the risk of unauthorized 2FA removal.

**Name of the Vulnerable Software and Affected Versions** Admidio versions prior to 5.0.9 **Description** An issue exists where the `Role::stopMembership()` function fails to verify if removing a user from the administrator role leaves the system with zero administrators. While the deprecated `Membership::stopMembership()` function contains a safety check to prevent this, the current code path bypasses it. This allows an administrator to remove the last remaining other administrator, potentially locking the entire system out of administrative access. This can occur through sequential removals, where two administrators remove each other, resulting in no users remaining in the administrator role. The vulnerability is located in the `Role::stopMembership()` function within `src/Roles/Entity/Role.php` and can be triggered via the endpoint "/modules/profile/profile function.php" using the `mode`, `user uuid`, and `role uuid` parameters. **Recommendations** Update to version 5.0.9. As a temporary workaround, restrict access to the "/modules/profile/profile function.php" endpoint or limit the number of users with administrator privileges to minimize the risk of total lockout.