Bvalmich

Name of the Vulnerable Software and Affected Versions: Dokploy versions prior to 0.23.7 Description: Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated low-privileged account can retrieve detailed profile information about another user in the same organization by directly invoking the `user.one` endpoint. The response discloses personally-identifiable information (PII) such as `email address`, `role`, `two-factor status`, `organization ID`, and various `account flags`. Recommendations: For versions prior to 0.23.7, update to version 0.23.7 to resolve the issue. As a temporary workaround, consider restricting access to the `user.one` endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Dokploy versions prior to 0.23.7 Description: Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated attacker can read any file that the Traefik process user can access, such as `/etc/passwd`, application source, environment variable files containing credentials and secrets. This may lead to full compromise of other services or lateral movement. Recommendations: For versions prior to 0.23.7, update to version 0.23.7 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and environment variables to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Dokploy versions prior to 0.23.7 Description: Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure `docker.getContainersByAppNameMatch` interpolates the attacker-supplied `appName` value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. Recommendations: For versions prior to 0.23.7, update to version 0.23.7 to fix the issue. As a temporary workaround, consider restricting access to the `docker.getContainersByAppNameMatch` procedure to prevent command injection attacks.