Catferq

**Name of the Vulnerable Software and Affected Versions** FileManager versions prior to 3.0.9 **Description** The issue is related to the deserialization of untrusted data from the `mimes` parameter, which could lead to remote code execution. This was fixed in version 3.0.9. **Recommendations** For versions prior to 3.0.9, update to version 3.0.9 to resolve the issue. As a temporary workaround, consider restricting access to the `mimes` parameter to minimize the risk of exploitation. A `composer update` will solve the issue in a non-breaking way.

**Name of the Vulnerable Software and Affected Versions** Filament versions prior to 3.2.123 **Description** The issue is related to the default configuration of Filament, which uses the `default filesystem disk` config option for storage features. The default disk is set to `public` when first installed, allowing users to quickly develop with a functional disk. However, this default setting can be insecure as some features, such as exports, store files containing sensitive data that should not be public. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Filament versions prior to 3.2.123, upgrade to version 3.2.123 or later to resolve the issue. As a temporary workaround, consider setting the export disk deliberately to a secure option, such as `local` or `s3`, to minimize the risk of exploitation. If the `public` disk is set as the default disk, the exports feature will automatically swap it out for the `local` disk, if that exists. Users who set the default disk to `local` or `s3` already are not affected.

**Name of the Vulnerable Software and Affected Versions** Orchid Platform versions 8 through 14.42.x **Description** The issue is a method exposure problem in the Orchid Platform’s asynchronous modal functionality, allowing attackers to call arbitrary methods within the `Screen` class. This could lead to brute force attacks on database tables, validation checks against user credentials, and disclosure of the server’s real IP address. **Recommendations** For Orchid Platform versions 8 through 14.42.x, upgrade to version 14.43.0 or later to address this issue. If upgrading to version 14.43.0 is not immediately possible, implement middleware to intercept and validate requests to asynchronous modal endpoints, allowing only approved methods and parameters, such as the provided example middleware `PreventBruteForceOnAsyncRoute`.

**Name of the Vulnerable Software and Affected Versions** Orchid versions 14.0.0-alpha4 through 14.4.x **Description** A vulnerability is present in the Orchid package, related to the deserialization of untrusted data from the ` state` query parameter, which can result in remote code execution. The issue allows a remote attacker to execute arbitrary code. **Recommendations** For versions 14.0.0-alpha4 through 14.4.x, upgrade the software to version 14.5.0 or any subsequent versions that include the patch to address the issue. As a temporary workaround, consider restricting access to the ` state` query parameter until a patch is applied.