Creastery

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.5.8.13 Shopware versions prior to 6.6.5.1 **Description** The issue concerns the `context` variable injected into almost any Twig Template, allowing access to current language and currency information. The context object can switch the scope of the Context as a helper with a callable function, which can be called from Twig. This allows calling any statically callable PHP function/method from Twig. Exploitation requires access to Administration, using Mail templates or App Scripts. **Recommendations** Update to Shopware 6.5.8.13 to receive a patch. Update to Shopware 6.6.5.1 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are available via a plugin.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.6.5.1 Shopware versions prior to 6.5.8.13 **Description** The issue concerns a new Twig Tag `sw silent feature call` in Shopware, which silences deprecation messages. This tag accepts a string parameter for the feature flag name to silence, but the parameter is not properly escaped, allowing code execution. **Recommendations** Update to Shopware 6.6.5.1 to receive a patch. Update to Shopware 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, install a plugin that provides corresponding security measures to mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.20 **Description** The issue concerns a path traversal vulnerability in the file upload functionality, specifically in the `/main/webservices/additional webservices.php` endpoint. This allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write. **Recommendations** For versions prior to 1.11.20, update to a version that contains a fix for this issue to prevent path traversal and subsequent remote code execution. As a temporary workaround, consider restricting access to the `/main/webservices/additional webservices.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.20 **Description** The issue is related to improper sanitisation in the `main/inc/lib/fileUpload.lib.php` file, which allows unauthenticated attackers to bypass file upload security protections. This can lead to remote code execution via the uploading of a `.htaccess` file. The vulnerability may be exploited by privileged attackers or chained with other vulnerabilities to achieve remote code execution. **Recommendations** For versions prior to 1.11.20, update to a version that contains a fix for this issue to prevent remote code execution. As a temporary workaround, consider restricting access to the `fileUpload.lib.php` file or disabling the file upload functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell, specifically through the big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php`. This has been exploited in real-world incidents, such as the PermX machine on HackTheBox, where attackers used subdomain enumeration to discover a vulnerable Chamilo LMS instance, and then abused a bash script with sudo privileges to gain root access. **Recommendations** For versions prior to 1.11.24, update to version 1.11.24 or later to resolve the issue. As a temporary workaround, consider disabling the big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` until a patch is available. Restrict access to the `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` file to minimize the risk of exploitation. Avoid using the big file upload functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns improper neutralisation of special characters, allowing command injection in the `main/lp/openoffice presentation.class.php` file. This enables users who are permitted to upload Learning Paths to obtain remote code execution. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent remote code execution. As a temporary workaround, consider restricting access to the `main/lp/openoffice presentation.class.php` file or disabling the upload of Learning Paths until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.20 **Description** The issue concerns command injection in the `/main/webservices/additional webservices.php` endpoint, allowing unauthenticated attackers to achieve remote code execution due to improper neutralization of special characters. This is a bypass of a previously known issue. **Recommendations** For versions prior to 1.11.20, as a temporary workaround, consider restricting access to the `/main/webservices/additional webservices.php` endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns an unrestricted file upload in the `/main/inc/ajax/dropbox.ajax.php` endpoint, allowing authenticated attackers with a learner role to achieve remote code execution by uploading PHP files. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent remote code execution. As a temporary workaround, consider restricting access to the `/main/inc/ajax/dropbox.ajax.php` endpoint to prevent file uploads.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns an unrestricted file upload in the `/main/inc/ajax/exercise.ajax.php` endpoint, allowing authenticated attackers with a learner role to achieve remote code execution by uploading PHP files. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent remote code execution via unrestricted file uploads.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue allows authenticated attackers with a learner role to achieve remote code execution. This is possible due to an unrestricted file upload in the `/main/inc/ajax/work.ajax.php` endpoint, which enables the uploading of PHP files. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the `/main/inc/ajax/work.ajax.php` endpoint to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns a command injection in the `main/lp/openoffice text document.class.php` file, allowing users who can upload Learning Paths to achieve remote code execution. This is due to the improper neutralization of special characters. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent command injection and potential remote code execution. As a temporary workaround, consider restricting the upload of Learning Paths to trusted users or disabling the vulnerable `openoffice text document.class.php` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns an unrestricted file upload in the `/main/inc/ajax/document.ajax.php` endpoint, allowing authenticated attackers with a learner role to achieve remote code execution by uploading PHP files. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent remote code execution via unrestricted file uploads.

**Name of the Vulnerable Software and Affected Versions** NodeBB versions <= 2.8.10 **Description** The issue allows unauthenticated attackers to trigger a crash in NodeBB when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively. **Recommendations** For NodeBB versions <= 2.8.10, update to a version greater than 2.8.10 to resolve the issue. As a temporary workaround, consider restricting the use of Socket.IO messages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Shopware versions 6.4.20.0 and earlier, and 6.5.0.0-rc1 through 6.5.0.0-rc4 **Description** The software is susceptible to a Server-side Template Injection (SSTI) issue within the Twig environment. This allows remote attackers, with access to a Twig environment lacking the Sandbox extension, to bypass validation checks in the `ShopwareCoreFrameworkAdapterTwigSecurityExtension`. By utilizing fully-qualified names supplied as an array of strings when referencing callables, attackers can invoke arbitrary PHP functions and potentially execute arbitrary code or commands. The issue stems from insufficient checks on PHP Closures passed as strings or arrays, which were not validated against an allow list. **Recommendations** Shopware versions 6.4.20.0 and earlier should be upgraded to version 6.4.20.1 to resolve this issue. Shopware versions 6.5.0.0-rc1 through 6.5.0.0-rc4 should be upgraded to a patched version. For older versions of 6.1, 6.2, and 6.3, utilize the available security plugin as a mitigation.

**Name of the Vulnerable Software and Affected Versions** Hancom Office version 9.6.1.7634 **Description** The issue allows for a use-after-free via a crafted .docx file, specifically affecting the tfo common component in HwordApp.dll. **Recommendations** For Hancom Office version 9.6.1.7634, at the moment, there is no information about a newer version that contains a fix for this issue.