Christian Poeschl

**Name of the Vulnerable Software and Affected Versions** Gambio versions 4.0.0.0 through 4.9.2.0 **Description** A flaw in the password reset function allows an attacker to bypass security checks and set arbitrary passwords for any account, provided the account ID is known. **Recommendations** Apply the 2024-02 v1.0.0 patch for versions 4.0.0.0 through 4.9.2.0.

**Name of the Vulnerable Software and Affected Versions** Gambio version 4.9.2.0 **Description** The issue allows attackers to obtain sensitive information via `error-handler.log.json` and `legacy-error-handler.log.txt` under the webroot. This is due to cleartext storage of sensitive information in Gambio. **Recommendations** For Gambio version 4.9.2.0, consider restricting access to the `error-handler.log.json` and `legacy-error-handler.log.txt` files under the webroot to minimize the risk of exploitation. As a temporary workaround, consider removing or securing these log files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Gambio versions through 4.9.2.0 **Description** The issue allows attackers to run arbitrary code via the `search` parameter of the "Parcelshopfinder/AddAddressBookEntry" function. This is due to the deserialization of untrusted data. **Recommendations** For versions through 4.9.2.0, as a temporary workaround, consider restricting access to the "Parcelshopfinder/AddAddressBookEntry" function until a patch is available. Avoid using the `search` parameter in this function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gambio version 4.9.2.0 **Description** The issue allows attackers to run arbitrary code via crafted smarty email template. This is a Server Side Template Injection in Gambio. **Recommendations** For Gambio version 4.9.2.0, as a temporary workaround, consider disabling the use of crafted smarty email templates until a patch is available. Restrict access to the email template functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gambio version 4.9.2.0 **Description** The issue allows attackers to execute arbitrary code via the upload of a crafted PHP file, exploiting an Unrestricted File Upload vulnerability in the Content Manager feature. **Recommendations** For Gambio version 4.9.2.0, consider disabling the Content Manager feature until a patch is available to prevent the upload of malicious files. Restrict access to the file upload functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gambio versions 4.9.2.0 and earlier **Description** The issue allows attackers to run arbitrary SQL commands via a crafted GET request using the `modifiers[attribute][]` parameter. This enables attackers to potentially extract or modify sensitive data. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For versions 4.9.2.0 and earlier, consider disabling the `modifiers[attribute][]` parameter in GET requests until a patch is available. Restrict access to sensitive data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GibbonEdu Gibbon versions through 25.0.0 **Description** The issue allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The `templateFileDestination` parameter can be set to an arbitrary pathname (and extension), allowing creation of PHP files outside of the uploads directory, directly in the webroot. **Recommendations** For versions through 25.0.0, consider disabling the report template builder feature until a patch is available to prevent exploitation. Restrict access to the `templateFileDestination` parameter to minimize the risk of creating malicious PHP files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GibbonEdu Gibbon versions through 25.0.0 **Description** The issue allows file upload with resultant XSS through the /modules/Planner/resources addQuick ajaxProcess.php file. The `imageAsLinks` parameter must be set to 'Y' to return HTML code. The `filename` attribute of the `bodyfile1` parameter is reflected in the response. **Recommendations** For versions through 25.0.0, as a temporary workaround, consider restricting access to the /modules/Planner/resources addQuick ajaxProcess.php file until a patch is available. Avoid using the `imageAsLinks` parameter set to 'Y' and the `bodyfile1` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GibbonEdu Gibbon version 25.0.0 **Description** The issue allows HTML Injection via an IFRAME element to the Messager component. This can potentially lead to malicious code execution. **Recommendations** For GibbonEdu Gibbon version 25.0.0, consider disabling the Messager component until a patch is available to prevent HTML Injection via an IFRAME element.

**Name of the Vulnerable Software and Affected Versions** GibbonEdu Gibbon versions 25.0.1 and before **Description** The issue allows for Arbitrary File Write due to the lack of authentication in the rubrics visualise saveAjax.php file. This file accepts parameters such as `img`, `path`, and `gibbonPersonID`. The `img` parameter is expected to be a base64 encoded image, and if the `path` parameter is set, it is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the `img` parameter is then base64 decoded and written to the defined file path, allowing for the creation of PHP files that permit Remote Code Execution without authentication. **Recommendations** For versions 25.0.1 and before, as a temporary workaround, consider disabling the rubrics visualise saveAjax.php file until a patch is available. Restrict access to this file to minimize the risk of exploitation. Avoid using the `img`, `path`, and `gibbonPersonID` parameters in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.