Cyberboss

**Name of the Vulnerable Software and Affected Versions** tgstation-server versions 4.7.0 through 5.12.1 **Description** The issue allows instance users with the `list chat bots` permission to read chat bot connection strings without the required permission. This affects a significant number of devices, but the exact number is not specified. As a workaround, removing the `list chat bots` permission from users who should not have access to connection strings can mitigate the issue. It is also recommended to invalidate any previously stored credentials for safety. **Recommendations** For versions 4.7.0 through 5.12.1, update to version 5.12.1 to resolve the issue. As a temporary workaround, consider removing the `list chat bots` permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.

**Name of the Vulnerable Software and Affected Versions** tgstation-server versions 3.2.1.0 through 3.2.4.0 **Description** The issue allows active logins to be cached, enabling subsequent logins to succeed with any username or password. This is due to a bug in the WCF communication layer, where the `authPolicy` parameter is used incorrectly, causing the server to cache previously returned policies. The bug was introduced to accommodate running the Control Panel using Mono. **Recommendations** For versions 3.2.1.0 through 3.2.4.0, update to version 3.2.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the server to minimize the risk of exploitation.