Bg0D-Glitch

**Name of the Vulnerable Software and Affected Versions** GuardDog versions 2.6.0 through 2.9.0 **Description** GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. This allows a malicious package to inject ANSI or OSC escape sequences into analyst terminals or CI logs. The issue occurs because the human-readable reporter prints values directly from the finding formatter without applying escaping for control characters such as `x1b`. This can be exploited to clear or rewrite terminal output, inject spoofed log content in CI, or emit clickable OSC 8 hyperlinks and title changes in compatible terminals. **Recommendations** For versions 2.6.0 through 2.9.0, escape or strip terminal control characters before rendering package names, file paths, messages, and code snippets in human-readable output.

**Name of the Vulnerable Software and Affected Versions** GuardDog versions 1.0.0 through 2.9.0 **Description** The programmatic remote project scanning path in the `ProjectScanner.scan remote()` function rewrites attacker-controlled repository URLs using blind string replacement before sending the caller's GitHub credentials with the request. Because the logic fails to parse or validate the hostname, a crafted URL can trigger Server-Side Request Forgery (SSRF), allowing an attacker to capture the `GH TOKEN` used by the tool. This occurs when the software replaces the string "github" with "raw.githubusercontent" without verifying the destination, leading the system to send HTTP Basic Auth credentials to an arbitrary host. **Recommendations** Update GuardDog to a version later than 2.9.0. As a temporary workaround, restrict the use of the `ProjectScanner.scan remote()` function to trusted repository URLs only.

Name of the Vulnerable Software and Affected Versions jq versions 1.8.1 and earlier Description A command-line JSON processor is subject to a denial of service. The functions `jv setpath()`, `jv getpath()`, and `delpaths sorted()` in `src/jv aux.c` use unbounded recursion where the depth is controlled by the length of a caller-supplied path array. An attacker can supply a JSON document containing a flat array of approximately 65,000 integers that exhausts the C call stack, resulting in a segmentation fault (SIGSEGV) and a process crash. This occurs because the `MAX PARSING DEPTH` limit only protects the JSON parser and not runtime path operations. Recommendations Apply the fix provided in commit `fb59f1491058d58bdc3e8dd28f1773d1ac690a1f`. Restrict the use of `setpath`, `getpath`, and `delpaths` builtins when processing untrusted JSON input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FileRise versions 2.3.7 through 3.10.0 **Description** FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. The file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read own` enforcement for hover previews. The `read own` access control is bypassed, allowing unauthorized access to file content. **Recommendations** FileRise versions 2.3.7 through 3.10.0 should be upgraded to version 3.11.0 or later.

**Name of the Vulnerable Software and Affected Versions** Frigate version 0.17.0 **Description** Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated, non-administrator user can access the complete, unredacted Frigate configuration through the `/api/config/raw` API endpoint. This access exposes sensitive information intentionally hidden from the `/api/config` endpoint, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in the `config.yml` file. This issue stems from a broken access control mechanism introduced during the refactoring of the administrator API. Specifically, while `/api/config/raw paths` is restricted to administrators, the `/api/config/raw` endpoint remains accessible to any authenticated user. The vulnerable parameter is not explicitly mentioned. **Recommendations** Update to version 0.17.1 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Frigate version 0.17.0 **Description** Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. A low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible due to authorization problems in two API endpoints: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, and `/api/events/{event id}/snapshot-clean.webp` does not validate `event.camera` after looking up the event, despite declaring `Depends(require camera access)`. This allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events using the `event id` variable. **Recommendations** Update to version 0.17.1 or later.

**Name of the Vulnerable Software and Affected Versions** FileRise versions prior to 3.10.0 **Description** FileRise is a self-hosted web file manager and WebDAV server. A flaw in the access control mechanism within FileRise’s ONLYOFFICE integration permits an authenticated user with read-only permissions to acquire a signed `save callbackUrl` for a file. Subsequently, this allows the attacker to manipulate the ONLYOFFICE save callback and overwrite the file with content they control. The affected component is the ONLYOFFICE integration. The vulnerable parameter is the `callbackUrl`. **Recommendations** Update to version 3.10.0 or later.