D-Xuan

**Name of the Vulnerable Software and Affected Versions** Vaultwarden versions 1.34.3 and prior **Description** Vaultwarden, a Bitwarden compatible server, is susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to perform actions such as accessing the user’s API key or deleting the user’s vault and organizations the user is an admin/owner of. The issue stems from incorrect persistence of attempt counts during one-time passcode (OTP) validation. The `validate protected action otp` function increments the attempt count locally but does not update the stored value, allowing an attacker to bypass the rate limit. The OTP is only six digits long, making it vulnerable to brute-force attacks, which can be successful with a request throughput of up to 2500 requests per second. The vulnerability allows an attacker to repeatedly request OTPs and attempt to guess the code without being blocked by the rate limit. **Recommendations** Versions prior to 1.35.0 are affected. Update to version 1.35.0 or later to resolve this issue.

Name of the Vulnerable Software and Affected Versions: Tautulli versions prior to 2.16.0 Description: Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. Attackers can exfiltrate files, including the `tautulli.db` SQLite database containing active JWT tokens and the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. Successful exploitation could lead to administrative control over the application. Recommendations: Update to Tautulli version 2.16.0 or later.

Name of the Vulnerable Software and Affected Versions: Tautulli versions prior to 2.16.0 Description: Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real pms image proxy` endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. The image to be fetched is specified through the `img` URL parameter, which can be bypassed by adjoining path traversal characters to reach files outside of intended directories. An attacker can exfiltrate files on the application file system, including the `tautulli.db` SQLite database and the `config.ini` file. Obtaining the admin password or a valid JWT token allows an unauthenticated attacker to escalate privileges to gain administrative control over the application. Recommendations: Update Tautulli to version 2.16.0 or later.

Name of the Vulnerable Software and Affected Versions: Tautulli versions prior to 2.16.0 Description: Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. An attacker with administrative access can exploit the `pms image proxy` endpoint to write arbitrary Python scripts into the application filesystem. This can be achieved by manipulating the `img` parameter and the `img format` parameter within a `pms image proxy` request, leveraging path traversal vulnerabilities to specify a desired filename. The attacker controls the Plex Media Server (PMS) and can provide arbitrary content, which is then written to the specified file. Subsequently, the attacker can utilize the `Script` notification agent to execute the written script, resulting in remote code execution on the application server. Recommendations: Upgrade to version 2.16.0.

Name of the Vulnerable Software and Affected Versions: Tautulli versions prior to 2.16.0 Description: Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. A command injection issue in the `runGit` function within `versioncheck.py` allows attackers with administrative privileges to achieve remote code execution on the application server. This requires the application to have been cloned from GitHub and installed manually. The vulnerability occurs because `shell=True` is passed to `subproces.Popen`, making the call susceptible to command injection through shell characters in arguments. The `checkout git branch` API endpoint is a concrete trigger point, storing user-supplied remote and branch names into the `GIT REMOTE` and `GIT BRANCH` configuration keys without sanitization, which are then passed directly into `runGit` using a format string. Code execution can be obtained by using `$()` interpolation in a command. Recommendations: Update to Tautulli version 2.16.0 or later.

Name of the Vulnerable Software and Affected Versions: Maho versions prior to 25.9.0 Description: Maho is a free and open source ecommerce platform. An authenticated staff user with access to the `Dashboard` and `CatalogManage Products` permissions can create a custom option on a listing with a file input field. By allowing file uploads with a `.php` extension, the user can upload malicious PHP files, gaining remote code execution. Recommendations: Update to version 25.9.0 or later.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Desktop Client versions prior to 3.14.2 **Description** The issue concerns the Nextcloud Desktop Client, a tool used to synchronize files from Nextcloud Server with a computer. It was found that the Desktop client did not stop with an error and allowed bypassing the signature validation if a manipulated server sent an empty initial signature. **Recommendations** For versions prior to 3.14.2, upgrade to version 3.14.2 or later to resolve the issue.