Axel-Corsiez

**Name of the Vulnerable Software and Affected Versions** DFIR-IRIS versions prior to 2.4.28 **Description** An optional GraphQL endpoint at "/graphql" does not enforce the same authorization checks as the REST API. This allows any authenticated user, regardless of their role or case Access Control List (ACL), to perform unauthorized actions. These include reading Indicators of Compromise (IOC) across different cases via Insecure Direct Object Reference (IDOR), bulk disclosure of IOCs through the `case.iocs` resolver—which returns IOCs linked to an arbitrary case without verifying access—and unauthorized case creation. **Recommendations** Update to version 2.4.28. Block the "/graphql" endpoint at the reverse proxy. Comment out the `graphql blueprint` import and the `register blueprint` call in `source/app/views.py` and restart the service.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.39.0 **Description** The OAuth2 token fetch function in `packages/server/src/sdk/workspace/oauth2/utils.ts` uses a raw `fetch(config.url)` call without Server-Side Request Forgery (SSRF) protection. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location. While a safe wrapper `fetchWithBlacklist()` is used for other outbound HTTP calls, it was not applied to the OAuth2 token endpoint. A user with the BUILDER role can point the OAuth2 token URL to internal services, such as CouchDB or cloud metadata, to exfiltrate sensitive data. **Recommendations** Update to version 3.39.0.

Name of the Vulnerable Software and Affected Versions Saltcorn versions prior to 1.4.5, prior to 1.5.5, and prior to 1.6.0-beta.4. Description Saltcorn is an extensible, open source, no-code database application builder. Unauthenticated attackers can create arbitrary directories and write attacker-controlled JSON content to files via the `POST /sync/offline changes` API endpoint. The `GET /sync/upload finished` API endpoint allows unauthenticated attackers to list arbitrary directory contents and read specific JSON files. The vulnerability stems from a lack of proper path validation in these endpoints, specifically failing to apply the `File.normalise in base()` function used in other parts of the codebase. The `newSyncTimestamp` parameter in the `POST /sync/offline changes` endpoint and the `dir name` query parameter in the `GET /sync/upload finished` endpoint are used directly in `path.join()` without sanitization, allowing path traversal. This could lead to arbitrary file write, directory listing, and potential remote code execution by writing to sensitive paths. Recommendations Apply `File.normalise in base()` to the `POST /sync/offline changes` and `GET /sync/upload finished` endpoints, mirroring the implementation in the `clean sync dir` endpoint. Additionally, add `loggedIn` middleware to endpoints that modify server state.

Name of the Vulnerable Software and Affected Versions: changedetection.io versions prior to 0.54.8 Description: The `@login optionally required` decorator was incorrectly placed before `@blueprint.route()` on 13 routes across 5 blueprint files. This decorator order reversal bypasses authentication checks, allowing unauthenticated access to sensitive routes, including backup creation, listing, download, and removal. Successful exploitation can lead to complete data exfiltration, including monitored URLs, notification webhook URLs (potentially containing API tokens), and configuration data. Attackers could also upload malicious backups to inject configurations, perform Server-Side Request Forgery (SSRF), and potentially hijack browser sessions. The API endpoints affected include '/backups/request-backup', '/backups/', '/backups/download/<filename>', and '/backups/remove-backups'. The vulnerable parameter is the filename in the '/backups/download/<filename>' endpoint. Recommendations: Update to version 0.54.8 or later. Ensure the `@blueprint.route()` decorator is the outermost decorator for all affected routes. For example: @blueprint.route('/backups/download/<filename>') @login optionally required def download backup(filename):

**Name of the Vulnerable Software and Affected Versions** pyLoad (affected versions not specified) **Description** The `ADMIN ONLY OPTIONS` protection mechanism, intended to restrict access to sensitive configuration values, is not applied to plugin configuration options. Specifically, the `AntiVirus` plugin stores an executable path (`avfile`) in its configuration, which is then directly passed to `subprocess.Popen()`. A non-admin user with SETTINGS permission can modify this path to execute arbitrary code. The vulnerability also allows for arbitrary file read through manipulation of the `storage folder` configuration option. An attacker can set `storage folder` to '/' and then access files like `/etc/passwd` via the `/files/get/` API endpoint. This results in remote code execution, potential privilege escalation, and arbitrary file read. **API Endpoints**: `/api/set config value`, `/api/add package`, `/files/get/` **Vulnerable Parameters or Variables**: `avfile`, `avargs`, `storage folder`, `section`, `option`, `value` **Vulnerable Functions**: `scan file()`, `set config value()` **Recommendations** Apply `ADMIN ONLY OPTIONS` to plugin configurations. Specifically, add plugin options that control executables or paths, such as `AntiVirus.avfile` and `AntiVirus.avargs`, to the `ADMIN ONLY PLUGIN OPTIONS` set within the `set config value()` function. Alternatively, validate that the `avfile` parameter points to a known and trusted antivirus binary before passing it to `subprocess.Popen()`.

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.42 Description OneUptime, an open-source monitoring and observability platform, had an issue where unauthenticated access to Notification test and Phone Number management endpoints allowed for abuse, including SMS, call, email, and WhatsApp spamming, as well as unauthorized phone number purchases. Attackers could potentially drain budgets and flood targets with unwanted messages. Recommendations Update to version 10.0.42 or later.

Name of the Vulnerable Software and Affected Versions Fireshare versions prior to 1.5.3 Description Fireshare allows self-hosted media and link sharing. Prior to version 1.5.3, a flaw existed in the /api/uploadChunked/public endpoint where an unauthenticated attacker could manipulate the `checkSum` parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. The fix for a related issue was applied to the authenticated /api/uploadChunked endpoint but not to the unauthenticated one. This allows for remote code execution. Recommendations Update to version 1.5.3 or later.

Name of the Vulnerable Software and Affected Versions PdfDing versions prior to 1.7.1 Description PdfDing is a selfhosted PDF manager, viewer and editor. Prior to version 1.7.1, the `check shared access allowed()` function only validates session existence and does not check if a shared PDF is inactive (expired or has reached its maximum view count) or deleted. The Serve and Download API endpoints, ''/serve'' and ''/download'', rely on this function, allowing previously-authorized users to access shared PDF content after it has expired, reached its view limit, or been soft-deleted. Recommendations Update to version 1.7.1 or later.