Da7Om85

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.38.2 **Description** The file upload endpoint "/api/attachments/process" does not enforce active-content restrictions for authenticated users. The system fails to properly check for dangerous file extensions when the user is not a public user or when the environment is self-hosted. This allows authenticated builders to upload executable web content, such as SVG files containing inline `<script>` tags, HTML pages with JavaScript, or `.js` modules. These files are stored in the object store with their original MIME types. When a signed URL to the uploaded file is opened by any application user, the browser executes the payload, resulting in persistent stored Cross-Site Scripting (XSS). The issue is located within the `uploadFile()` function. **Recommendations** Update to version 3.38.2. As a temporary workaround, restrict access to the "/api/attachments/process" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.33.4 **Description** Budibase, an open-source low-code platform, has a critical security issue where an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server. This is possible by triggering an automation that contains a Bash step via the public webhook endpoint. The process executes as root inside the container. The vulnerability is due to a misconfigured webhook trigger that allows unauthenticated access and the use of Handlebars template processing on webhook input, which is then executed as a shell command. An attacker can exploit this by sending a crafted HTTP POST request to the `/api/webhooks/trigger/{appId}/{webhookId}` endpoint with a malicious payload in the `cmd` field. This allows them to execute arbitrary commands on the server with root privileges. The vulnerability requires an admin to have previously created an automation with a webhook trigger and a Bash step that uses a trigger field template. The affected endpoint is `/api/webhooks/trigger/:instance/:id`. The vulnerable sink is the Bash automation step, specifically the `processStringSync` function and `execSync` function. The attack chain involves sending an HTTP POST request to the webhook trigger endpoint, which then triggers the automation and executes the Bash step with the attacker-controlled payload. The number of potentially affected devices is not specified. **Recommendations** Update to version 3.33.4 or later.

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.32.5 Description Budibase, an open-source low-code platform, had a critical issue in its Builder Command Palette. Before version 3.32.5, entity names (tables, views, queries, automations) were rendered using Svelte's {@html} directive without proper sanitization. An authenticated user with Builder access could create an entity with a malicious HTML payload (e.g., <img src=x onerror=alert(document.domain)>) in its name. When another Builder-role user opened the Command Palette (Ctrl+K), this payload would execute in their browser, potentially stealing their session cookie and allowing for full account takeover. Recommendations Update Budibase to version 3.32.5 or later.

**Name of the Vulnerable Software and Affected Versions** Budibase versions 3.30.6 and prior **Description** Budibase is a low code platform that allows the creation of internal tools, workflows, and admin panels. A flaw exists in the REST datasource query preview endpoint (`POST /api/queries/preview`) where server-side HTTP requests are made to any URL supplied by the user in the `fields.path` parameter without proper validation. This allows an authenticated administrator to access internal services not exposed to the internet, including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On Google Cloud Platform (GCP), this can lead to OAuth2 token theft with the `cloud-platform` scope, granting full GCP access. In any deployment, it enables full internal network enumeration. The vulnerable handler is located in `packages/server/src/api/controllers/query.ts` (`preview()`). The `fields.path` parameter is passed directly to the REST HTTP client without IP or hostname validation, lacking blocklists for loopback addresses, RFC 1918 ranges, link-local/cloud metadata addresses, and internal Kubernetes DNS. **Recommendations** Versions prior to 3.30.6 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.31.5 **Description** Budibase is a low code platform used for creating internal tools, workflows, and admin panels. A path traversal flaw exists in the PWA (Progressive Web App) ZIP processing endpoint, specifically at `/api/pwa/process-zip`. This allows an authenticated user with builder privileges to access arbitrary files on the server filesystem. The server utilizes an unsanitized `path.join()` function with user-controlled input from `icons.json` within an uploaded ZIP file, leading to the ability to read sensitive files like `/proc/1/environ`, which contains environment variables including JWT secrets, database credentials, encryption keys, and API tokens. The file contents are then uploaded to an object store (MinIO/S3) and accessible via signed URLs, potentially resulting in complete platform compromise due to the exfiltration of cryptographic secrets and service credentials. **Recommendations** Update Budibase to a version later than 3.31.5.