Cristian Vargas

**Name of the Vulnerable Software and Affected Versions** @fastify/middie versions prior to 9.2.0 **Description** A flaw exists in @fastify/middie that can lead to authentication or authorization bypass when path-scoped middleware is used, such as with `app.use('/secret', auth)`. This occurs when Fastify router normalization options are enabled, including options like `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and trailing-slash behavior. Specifically, specially crafted request paths may circumvent middleware checks while still reaching protected handlers. **Recommendations** Update @fastify/middie to version 9.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Nest.js version 11.1.13 **Description** A NestJS application utilizing the @nestjs/platform-fastify package may experience a bypass of authentication and authorization middleware when Fastify path-normalization options are enabled. This can potentially allow unauthorized access to protected resources. **Recommendations** Ensure Fastify path-normalization options are disabled in NestJS applications using @nestjs/platform-fastify.

**Name of the Vulnerable Software and Affected Versions** Quill version 2.0.3 **Description** A flaw exists in the HTML export feature of Quill that does not properly validate data, potentially leading to Cross-Site Scripting (XSS). This issue was identified by Fluid Attacks' research team. **Recommendations** Update to a newer version of Quill that addresses this vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Frappe HelpDesk version 1.14.0 **Description** A SQL injection issue exists in Frappe HelpDesk within the `get dashboard data` function of the dashboard component. This is due to the unsafe combination of user-supplied data directly into SQL queries. The vulnerability allows for potential unauthorized access or modification of data. **Recommendations** Apply updates to address the SQL injection issue in the `get dashboard data` function.

**Name of the Vulnerable Software and Affected Versions** Frappe CRM version 1.53.1 **Description** The Frappe CRM Dashboard Controller contains multiple SQL injection flaws. These flaws are due to the unsafe concatenation of user-controlled parameters into dynamic SQL statements. The issue allows for potential unauthorized database access and manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSupports version 4.11.0 **Description** The software exposes an endpoint that allows modification of the 'supervised users' list for any account without verifying ownership. This allows a Level 1 staff member to alter the supervision relationship of a target user, potentially granting access to view tickets belonging to other users. This circumvents the intended authorization model and compromises data filtering. The affected API endpoint allows unauthorized modification of supervision relationships. The vulnerable parameter is the list of `supervised users`. **Recommendations** Apply a fix to validate that the actor attempting to modify the 'supervised users' list is the owner of that list.

**Name of the Vulnerable Software and Affected Versions** OpenSupports version 4.11.0 **Description** Two unauthenticated diagnostic endpoints permit arbitrary backend-initiated network connections to a destination specified by an attacker. These endpoints are accessible without authentication due to a permission setting of 'any', enabling Server-Side Request Forgery (SSRF). This allows for internal network scanning and interaction with services. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSupports versions 4.11.0 **Description** The application’s API endpoint, `/api/staff/get-new-tickets`, directly incorporates the user-supplied parameter `departmentId` into a SQL query without proper sanitization. This allows an authenticated staff user with a privilege level of 1 or higher to inject SQL code, bypassing department-based access restrictions and potentially disclosing tickets from other departments. The `departmentId` parameter is directly concatenated into the SQL WHERE clause, creating a SQL injection point. **Recommendations** Apply input validation and parameterized queries to the `departmentId` parameter in the `/api/staff/get-new-tickets` endpoint to prevent SQL injection.

**Name of the Vulnerable Software and Affected Versions** Ghost versions 5.99.0 through 5.130.3 Ghost versions 6.0.0 through 6.0.8 **Description** A Server-Side Request Forgery (SSRF) vulnerability exists in Ghost that allows an attacker to access internal resources. The vulnerability is present in Ghost’s oEmbed mechanism and allows staff users to exfiltrate data from internal systems via SSRF. **Recommendations** Update to Ghost version 5.130.4 or later. Update to Ghost version 6.0.9 or later.