Alakinnn

**Name of the Vulnerable Software and Affected Versions** Titra versions 0.99.49 and below **Description** Titra is open source project time tracking software. Versions 0.99.49 and below have an Improper Access Control issue, allowing users to view and edit other users' time entries in private projects they have not been granted access to. The issue affects the Titra APIs. **Recommendations** Update to version 0.99.50 or later.

**Name of the Vulnerable Software and Affected Versions** Titra versions 0.99.49 and below **Description** Titra is open source project time tracking software. An API has a Mass Assignment issue that allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the `customfields` parameter. The affected endpoint uses the JavaScript spread operator (...`customfields`) to merge user-controlled input directly into the database document. While `customfields` is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as `userId`, `hours`, and `state`. **Recommendations** Update to version 0.99.50 or later.

**Name of the Vulnerable Software and Affected Versions** Hemmelig versions prior to 7.3.3 **Description** A Server-Side Request Forgery (SSRF) filter bypass exists in the webhook URL validation of the Secret Requests feature in Hemmelig, a messaging app with client-side encryption and self-destructing messages. The application attempts to block internal/private IP addresses but this can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. **Recommendations** Update to version 7.3.3 or later.