Anuraagbaishya

**Name of the Vulnerable Software and Affected Versions** Pi-hole FTL versions prior to 6.6.1 **Description** The `dns.interface` configuration field in Pi-hole FTL accepts newline characters without validation, which allows an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations where no admin password is set, the configuration API is accessible without credentials. This enables a network-adjacent attacker to inject a payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host when a device on the network requests a DHCP lease. The injected value is persisted to `/etc/pihole/pihole.toml` and remains after restarts. Although the `strncpy` function limits the interface field to 31 bytes, payloads such as `wlan0 dhcp-script=/tmp/p` can still fit. The dnsmasq configuration validation in FTL 6.6 only verifies syntactic validity, allowing valid injected directives to pass. **Recommendations** Update to version 6.6.1.

**Name of the Vulnerable Software and Affected Versions** Idno versions prior to 1.6.4 **Description** Idno, a social publishing platform, contains a remote code execution vulnerability that can be triggered through a chained sequence of issues. Specifically, a web application administrator can be exploited to write a PHP file to the server's temporary directory via a WordPress import process. Subsequently, any authenticated user can trigger the inclusion of this file through an unsanitized template name parameter, leading to arbitrary operating system command execution as the web server user. The vulnerability involves two main components: arbitrary PHP file write via WordPress import and local file inclusion via an unsanitized template name. The first component, located in `Idno/Core/Migration.php` within the `importImagesFromBodyHTML()` function, allows a web application administrator to cause the server to fetch a URL controlled by an attacker during WordPress import processing. This results in writing a PHP file to the server's temp directory. The second component, present in `Idno/Pages/Search/User.php` and `Idno/Core/Bonita/Templates.php`, allows any authenticated user to trigger the inclusion of the previously written file by providing an unsanitized template name parameter. The `draw()` function in `Idno/Core/Bonita/Templates.php` applies a weak regex that does not prevent path traversal, allowing an attacker to include files outside the intended directory. The vulnerability requires the text plugin to be enabled and `allow url fopen` to be enabled in PHP. **Recommendations** Versions prior to 1.6.4: Upgrade to version 1.6.4 or later to address the vulnerability. Restrict allowed template name characters in `draw()` to an allowlist such as `^[a-z0-9/ -]+$`, rejecting any name containing `../` or beginning with `/`. Validate the extension of files written by `importImagesFromBodyHTML` against an allowlist of image extensions (jpg, jpeg, png, gif, webp) before writing to disk. Validate the hostname of image URLs in `importImagesFromBodyHTML` against the source domain rather than using `substr count`, which does not distinguish hostname from path. Use `tempnam()` for temp files in the import flow rather than constructing filenames from user-controlled URL components.

**Name of the Vulnerable Software and Affected Versions** Idno versions prior to 1.6.4 **Description** A flaw exists in the API authentication flow of Idno that allows bypassing of CSRF protection on the URL unfurl service endpoint. This is due to the absence of a login requirement on the endpoint and a logic error in the authentication process. An unauthenticated remote attacker can exploit this to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. The vulnerability is related to the `Idno/Pages/Service/Web/UrlUnfurl.php`, `Idno/Core/Session.php`, and `Idno/Core/Actions.php` components. The affected endpoint is the GET request to '/service/web/unfurl?url=<attacker-controlled-url>', handled by the `IdnoPagesServiceWebUrlUnfurl::getContent()` function. The issue arises because the `setIsAPIRequest(true)` function is called unconditionally before credential verification, allowing an attacker to bypass the token gatekeeper by providing any non-empty values for the `X-IDNO-USERNAME` and `X-IDNO-SIGNATURE` headers. This allows access to internal services and potential exfiltration of sensitive information, such as cloud instance metadata. **Recommendations** Versions prior to 1.6.4 should be updated to version 1.6.4 or later. Move `setIsAPIRequest(true)` to after successful HMAC verification. Block private address ranges in the unfurl function to prevent requests to RFC 1918 addresses, loopback, and link-local ranges.

**Name of the Vulnerable Software and Affected Versions** NiceGUI versions prior to 3.8.0 **Description** NiceGUI APIs, including `Element.run method()`, `AgGrid.run grid method()`, `EChart.run chart method()`, and others, utilized an `eval()` fallback within the JavaScript-side `runMethod()` function. This allowed for arbitrary JavaScript execution in the victim’s browser when user-controlled input was provided as the method name. Additionally, `Element.run method()` and `Element.get computed prop()` used string interpolation instead of `json.dumps()` for method/property names, enabling quote injection to bypass intended string context. An attacker could craft a malicious URL with a payload as a query parameter and, if the application passes this parameter as a method name to any of the affected APIs, the payload is sent to the client via WebSocket and executed. This could lead to cookie/token theft, DOM manipulation, and actions performed as the victim user. The affected methods include: `Element.run method()`, `Element.get computed prop()`, `AgGrid.run grid method()`, `AgGrid.run row method()`, `EChart.run chart method()`, `JsonEditor.run editor method()`, `Xterm.run terminal method()`, `Leaflet.run map method()`, `Leaflet.run layer method()`, and `LeafletLayer.run method()`. **Recommendations** Update to NiceGUI version 3.8.0 or later. If updating is not immediately possible, utilize `ui.run javascript()` instead of passing JavaScript functions as method names. For example, replace `row = await grid.run grid method('g => g.getDisplayedRowAtIndex(0).data')` with `row = await ui.run javascript(f'return getElement({grid.id}).api.getDisplayedRowAtIndex(0).data')`.

**Name of the Vulnerable Software and Affected Versions** Fiber versions 2.52.8 and below **Description** Fiber is an Express inspired web framework written in Go. When using Fiber's `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.18446744073704`), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length `idx + 1` without validating whether the index is within a safe or reasonable range. If the `idx` is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This can result in a denial of service (DoS) due to memory exhaustion or server crash. **Recommendations** Fiber version 2.52.9 or later should be used.

**Name of the Vulnerable Software and Affected Versions** pyLoad versions prior to 0.5.0b3.dev87 **Description** The vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. This is achieved by downloading an executable file to a folder in `/scripts` and performing the respective action, which triggers the execution of scripts in that folder. The `/flashgot` API endpoint can be used to download the file by changing the download folder to a folder in the `/scripts` path. **Recommendations** For versions prior to 0.5.0b3.dev87, update to version 0.5.0b3.dev87 to fix the issue. As a temporary workaround, consider restricting access to the `/flashgot` API endpoint and the `/scripts` folder to minimize the risk of exploitation. Avoid using the `/flashgot` API to download files to folders in the `/scripts` path until the issue is resolved.