Anargam

**Name of the Vulnerable Software and Affected Versions** eLabFTW versions 4.6.0 through 5.1.0 **Description** A vulnerability has been found in eLabFTW that allows an attacker to bypass the built-in multifactor authentication mechanism. This can be exploited by an attacker who can authenticate locally, allowing them to log in regardless of MFA requirements. It's noted that this does not affect MFA performed by single sign-on services. **Recommendations** For versions 4.6.0 through 5.1.0, upgrade to at least version 5.1.9 to receive a fix.

Name of the Vulnerable Software and Affected Versions: eLabFTW versions prior to 5.1.0 Description: An incorrect permission check in eLabFTW, an open source electronic lab notebook, could allow an authenticated user to access restricted information. If anonymous access is enabled, this issue extends to anyone. Recommendations: For versions prior to 5.1.0, upgrade to at least version 5.1.0. As a temporary workaround, system administrators can disable anonymous access in the System configuration panel.

**Name of the Vulnerable Software and Affected Versions** eLabFTW versions prior to 5.1.0 **Description** The issue allows a regular user to become an administrator of a team where they are a member, under a reasonable configuration. In versions subsequent to v5.0.0, it may also allow an initially unauthenticated user to gain administrative privileges over an arbitrary team. This does not affect system administrator status. **Recommendations** For versions prior to 5.1.0, users should upgrade to version 5.1.0. System administrators are advised to turn off local user registration, saml team create, and not allow administrators to import users into teams, unless strictly required.

**Name of the Vulnerable Software and Affected Versions** eLabFTW versions prior to 5.0.0 **Description** The issue allows a regular user to create a circumstance where a visitor's browser runs arbitrary JavaScript code in the context of the eLabFTW application by uploading specially crafted files. This can be triggered by the visitor viewing a list of experiments, enabling the malicious script to act on behalf of the visitor, including creating API keys for persistence or other options normally available to the user. If the user viewing the page has the sysadmin role in eLabFTW, the script can act as a sysadmin, including system configuration and extensive user management roles. **Recommendations** For versions prior to 5.0.0, upgrade to at least version 5.0.0 to resolve the issue. As a temporary workaround, consider restricting access to uploaded files and limiting user permissions to minimize the risk of exploitation. Avoid using the application's experiment viewing feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** eLabFTW versions 4.4.0 through 4.9.x are not explicitly mentioned, but since the vulnerability exists starting in version 4.4.0 and prior to version 5.0.0, it can be simplified to: eLabFTW versions 4.4.0 through 4.9.x is not needed, instead use: eLabFTW versions prior to 5.0.0 **Description** A vulnerability in eLabFTW allows regular users to create new, validated accounts in their team. If the system has anonymous access enabled, an unauthenticated user can create regular users in any team. This issue can allow a user to maintain persistence in the system, create separate accounts under different names, and produce misleading revision histories. No additional privileges are granted to the new user. **Recommendations** For versions prior to 5.0.0, upgrade to version 5.0.0 to receive a patch. As a temporary workaround, consider disabling both options that allow administrators to create users. Additionally, disabling anonymous user access will stop anonymous access, including using existing access keys.

**Name of the Vulnerable Software and Affected Versions** eLabFTW versions prior to 4.3.0 **Description** The issue allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. **Recommendations** For versions prior to 4.3.0, update to version 4.3.0 to resolve the issue. As a temporary workaround, consider removing the ability of administrators to create accounts until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: eLabFTW versions prior to 4.2.0 Description: The issue allows any authenticated user to gain access to arbitrary accounts by setting a specially crafted email address, impacting instances without an explicit email domain name allowlist. Administrators and targeted users are not notified of account changes. An attacker needs to control an account to exploit this. The default settings require administrators to validate newly created accounts. Recommendations: For versions prior to 4.2.0, upgrade to at least version 4.2.0 to resolve the issue. For users unable to upgrade, enable an email domain allow list from the Sysconfig panel, Security tab, to completely resolve the issue.

Name of the Vulnerable Software and Affected Versions: eLabFTW versions prior to 4.2.0 Description: The issue allows an attacker to authenticate as an existing user if that user was created using a single sign-on authentication option such as LDAP or SAML. It impacts instances where LDAP or SAML is used for authentication instead of the local password mechanism. Recommendations: For versions prior to 4.2.0, upgrade to at least version 4.2.0 to resolve the issue. As a temporary workaround, consider restricting the use of single sign-on authentication options until the upgrade is applied.