Arkmarta

**Name of the Vulnerable Software and Affected Versions** @strapi/upload versions prior to 5.33.3 **Description** In the Upload plugin, Content API endpoints failed to enforce administrator-configured MIME type restrictions defined in `plugin.upload.security.allowedTypes` and `deniedTypes`. While these restrictions were active for the Admin Panel, the `enforceUploadSecurity` security check was missing from the Content API controller. Consequently, the `uploadFiles` and `replaceFile` handlers, as well as the `upload` wrapper, bypassed MIME detection and allow/deny lists. An authenticated user with Content API upload permissions could upload disallowed file types, such as HTML and SVG. If uploaded files are served from the same origin as the admin panel, an attacker could upload a malicious HTML or SVG file. When opened by an administrator, this file could execute JavaScript within the admin origin, potentially leading to admin-session hijacking and unauthorized administrative actions via the admin API. **Recommendations** Update @strapi/upload to version 5.33.3 or later.

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.79.1 Description Payload, a headless content management system, had insufficient input validation in certain requests. This allowed attackers to manipulate SQL query execution, potentially leading to data exposure or modification in collections. Recommendations Upgrade to version 3.79.1 or later.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 8.0 **Description** AVideo is a video-sharing platform. Versions prior to 8.0 contain a SQL Injection issue in the `getSqlFromPost()` method of Object.php. The `$ POST['sort']` array keys are used directly as SQL column identifiers within an ORDER BY clause. While `real escape string()` was applied, it only escapes string-context characters and does not protect SQL identifiers, rendering it ineffective. The issue stems from the direct use of unsanitized input in constructing a SQL query. The `sort` parameter within the `$ POST` request is particularly vulnerable. **Recommendations** Versions prior to 8.0 should be upgraded to version 8.0. As a workaround without upgrading, apply a WAF rule to block POST requests where any `sort[*]` key contains characters outside [A-Za-z0-9 ]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 7.0 **Description** AVideo is a video-sharing Platform software susceptible to unauthenticated Remote Code Execution (RCE). An attacker can inject shell command substitution into the `base64Url` GET parameter, potentially leading to full server compromise, data exfiltration, and service disruption. The issue resides in the improper handling of user-supplied input within shell commands, specifically in files `objects/getImage.php` and `objects/security.php`, utilizing functions like `shell exec` and `nohup`. The root cause is the lack of proper shell escaping when decoding and interpolating the `base64Url` parameter into shell commands. The `FILTER VALIDATE URL` validation does not prevent shell metacharacters from being interpreted by the shell. **Recommendations** Update to version 7.0 to resolve the issue. Restrict access to the `objects/getImage.php` file at the web server or reverse proxy layer. Apply Web Application Firewall (WAF) rules to block suspicious patterns and limit exposure.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 24.0 **Description** AVideo is an open source video platform. A Remote Code Execution (RCE) issue was identified in the plugin upload/import functionality. An authenticated administrator could upload a specially crafted ZIP archive containing executable server-side files. Insufficient validation of extracted file contents allowed the archive to be extracted directly into a web-accessible plugin directory, enabling arbitrary PHP code execution. The issue allows for full system compromise, including confidentiality, integrity, and availability impact. The system validated only the ZIP extension of uploaded plugin packages but did not enforce a strict allowlist of file types within the archive. Extracted files were placed directly in a web-accessible directory without preventing execution of server-side scripts. **Recommendations** Upgrade to AVideo version 24.0 or later. Disable plugin upload/import functionality. Configure the web server to prevent execution of PHP files inside plugin upload directories.

**Name of the Vulnerable Software and Affected Versions** Canarytokens versions prior to `sha-7ff0e12` **Description** The Canarytokens PWA Canarytoken has a Self Cross-Site Scripting issue. A Canarytoken creator can execute Javascript code by inserting it into the title field of their PWA token. This allows the creator to attack themselves or anyone they share the link with. When a victim clicks on the installation link, the Javascript code executes. However, no sensitive information is disclosed to a malicious actor. **Recommendations** Update to a Docker image after `sha-7ff0e12` or pull the latest Docker image from Canarytokens.org.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 22.0 **Description** AVideo is an open source video platform. The `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs, including internal network endpoints, leading to Server-Side Request Forgery (SSRF). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data, potentially leading to further compromise. The vulnerable parameter is `downloadURL`. **Recommendations** Update AVideo to version 22.0 or later.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 21.0 AVideo version 18.0 **Description** AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. The issue is a Stored Cross-Site Scripting (XSS) as defined by CWE-79. **Recommendations** Versions prior to 21.0 should be updated to version 21.0 or later. For AVideo version 18.0, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown. Enable Parsedown Safe Mode.

**Name of the Vulnerable Software and Affected Versions** CVAT versions 2.2.0 through 2.54.0 **Description** CVAT is an interactive video and image annotation tool for computer vision. An attacker can execute arbitrary JavaScript in a victim user's CVAT UI session. This is possible by creating a maliciously crafted label in a CVAT task or project, and then getting the victim user to either edit that label or view a shape referencing that label. Alternatively, the attacker can get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. Successful exploitation grants the attacker temporary access to all CVAT resources accessible to the victim user. **Recommendations** Update to version 2.55.0 or later.

**Name of the Vulnerable Software and Affected Versions** CVAT versions 1.0.0 through 2.54.0 **Description** CVAT is an open source interactive video and image annotation tool for computer vision. Users with staff status can modify their permissions, including granting themselves superuser status and joining the admin group, which provides full access to the data within the CVAT instance. **Recommendations** Versions prior to 2.55.0 should be updated. Review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges as a workaround.