Akokonunes

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.16.1 Description Directus is susceptible to an open redirect issue through the `redirect` parameter on the `/admin/tfa-setup` page. An administrator who has not configured Two-Factor Authentication (2FA) may be redirected to an attacker-controlled URL after completing the 2FA setup process, as the application lacks validation of the redirect destination. This could be leveraged in phishing attacks targeting Directus administrators. Recommendations Update to version 11.16.1 or later.

**Name of the Vulnerable Software and Affected Versions** Cloud CLI versions prior to 1.24.0 **Description** Cloud CLI (also known as Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. The `/api/user/git-config` endpoint constructs shell commands using user-provided `gitName` and `gitEmail` values, passing them to `child process.exec()`. Input is placed within double quotes, but only double quotes are escaped, leaving backticks (`), `$()` command substitution, and `` sequences vulnerable to interpretation within bash. This allows authenticated attackers to execute arbitrary operating system commands through the git configuration endpoint. The vulnerable code resides in `server/routes/user.js` (lines 58-59). Exploitation involves injecting malicious commands via the `gitName` parameter using command substitution, potentially leading to Remote Code Execution (RCE) as the Node.js process user. The server-wide git configuration can be modified, impacting all git operations. When combined with a bypass for JWT authentication, this can result in unauthenticated RCE. **Recommendations** Versions prior to 1.24.0 should be updated to version 1.24.0 or later. Replace `exec()` with `spawn()` using array arguments to avoid shell interpretation. For example, instead of: `await execAsync(`git config --global user.name "${gitName.replace(/"/g, '"')}"`);` use: `await spawnAsync('git', ['config', '--global', 'user.name', gitName]);`.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 25.0 **Description** The `/objects/playlistsFromUser.json.php` endpoint does not require authentication or authorization, allowing an unauthenticated attacker to enumerate user IDs and retrieve playlist information, including playlist names, video IDs, and playlist status, for any user on the platform. The endpoint accepts a `users id` parameter and directly queries the database without any authentication or authorization checks. This can lead to privacy violations, user enumeration, information gathering, and potential targeted attacks. The vulnerable file is `objects/playlistsFromUser.json.php`. The `getAllFromUser()` function is used to retrieve playlist data without verifying user access. **Recommendations** Versions prior to 25.0 should be updated to version 25.0 or later. Implement authentication and authorization checks before returning playlist data. As an option, require authentication and only allow access to a user's own playlists, or filter playlists by visibility if public playlists are intended.

**Name of the Vulnerable Software and Affected Versions** changedetection.io versions prior to 0.54.4 **Description** The software contains a reflected cross-site scripting (XSS) issue in the `/rss/tag/` endpoint. The `tag uuid` path parameter is directly included in the HTTP response without proper HTML escaping. Because Flask defaults to `text/html` for string responses, injected JavaScript is executed by the browser. The issue was present in version 0.54.1, which addressed a similar XSS in `/rss/watch/` but did not resolve the problem in the tag RSS endpoint. The attack requires a valid RSS access token, which is publicly available on the homepage. Successful exploitation could lead to session cookie theft, account takeover, and phishing attacks. Approximately 500 publicly accessible deployments are estimated to be affected. The vulnerable code is located in `changedetectionio/blueprint/rss/tag.py` at line 36. The vulnerable parameter is `tag uuid`. **Recommendations** Versions prior to 0.54.4: Escape the `tag uuid` parameter before including it in the response, or set the `Content-Type` to `text/plain`.

**Name of the Vulnerable Software and Affected Versions** NocoDB versions prior to 0.301.3 **Description** NocoDB is software for building databases as spreadsheets. An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells. This is achieved by bypassing the TipTap editor and sending raw HTML via the API. The vulnerable API allows for the injection of malicious code through Rich Text cells. **Recommendations** Update to version 0.301.3 or later.

**Name of the Vulnerable Software and Affected Versions** NocoDB versions prior to 0.301.3 **Description** A stored cross-site scripting (XSS) issue exists in the Formula virtual cell of NocoDB, a software used for building databases as spreadsheets. Formula results containing URI::() patterns are rendered using v-html without proper sanitization, which allows for the execution of injected HTML. **Recommendations** Update to version 0.301.3 or later.

**Name of the Vulnerable Software and Affected Versions** changedetection.io versions prior to 0.54.1 **Description** The application reflects the `UUID` path parameter directly in the HTTP response body without HTML escaping in the RSS single-watch endpoint. Because Flask defaults to returning text/html for plain string responses, the browser parses and executes injected JavaScript. This could allow for potential cross-site scripting (XSS) attacks. **Recommendations** Update to version 0.54.1 or later.