Albogdanopublished

**Name of the Vulnerable Software and Affected Versions** Para versions prior to 1.50.8 **Description** A vulnerability exists in the `FacebookAuthFilter.java` file, resulting in the full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text, posing a risk of token exposure since WARN-level logs are often retained in production and accessible to operators or log aggregation systems. **Recommendations** For versions prior to 1.50.8, update to version 1.50.8 to fix the issue. As a temporary workaround, consider restricting access to the logs to minimize the risk of token exposure.

**Name of the Vulnerable Software and Affected Versions** Para versions prior to 1.50.8 **Description** A vulnerability exists in Para, a multitenant backend server/framework for object persistence and retrieval, which exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. **Recommendations** For versions prior to 1.50.8, update to version 1.50.8 to fix the issue. As a temporary workaround, consider restricting log access to minimize the risk of credential exposure. Avoid logging access and secret keys for debugging or system health purposes until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Scoold versions prior to 1.64.0 Description: A semicolon path injection vulnerability was found on the "/api;/config" endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorized access to sensitive configuration data. Furthermore, PUT requests on the "/api;/config" endpoint while setting the `Content-Type: application/hocon` header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. Recommendations: For versions prior to 1.64.0, update to Scoold 1.64.0 to fix the vulnerability. As a temporary workaround, consider disabling the Scoold API by setting `scoold.api enabled = false`.