Dapickle

**Name of the Vulnerable Software and Affected Versions** Orthanc DICOM Server versions prior to 1.12.12 **Description** A stack-based buffer overflow exists in the DCMTK Parser component. This occurs within the `read()` function of the `DcmItem` class located in the `OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp` file. Exploitation requires local access to the system. **Recommendations** Apply patch bae99026ca97 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OFFIS DCMTK version 3.7.0 **Description** A heap-based buffer overflow can be triggered remotely within the `dcmqrscp` component. The issue resides in the `DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages()` function located in the `dcmqrdb/libsrc/dcmqrdbi.cc` file. **Recommendations** Apply patch 0f78a4ef6f645ea5530166e445e5436a5de58e75 to version 3.7.0.

**Name of the Vulnerable Software and Affected Versions** Orthanc Explorer 2 versions prior to 1.12.0 **Description** A cross-site scripting issue exists in the URL Handler component within the `WebApplication/src/components/StudyList.vue` file. A remote attacker can initiate an attack by manipulating the `remote-source` argument. **Recommendations** Apply patch 21f78ce5da668bf5233efcd1896ec7c6e3b22eae to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ettercap versions prior to 0.8.4 **Description** A heap-based buffer overflow occurs in the GG Dissector component within the `FUNC DECODER()` function of the `src/dissectors/ec gg.c` file. This issue is triggered by the manipulation of the `gg` argument and can be exploited remotely, although the attack complexity is high and exploitability is difficult. **Recommendations** Upgrade to version 0.8.4.

**Name of the Vulnerable Software and Affected Versions** bettercap versions prior to 2.41.6 **Description** An integer coercion error exists in the zerogod IPP Service component within the `ippReadChunkedBody()` function of the `modules/zerogod/zerogod ipp primitives.go` file. This issue allows a remote attacker to trigger the error through specific manipulation, although the attack is characterized by high complexity and difficult exploitation. **Recommendations** Deploy patch 3731d5576cffae9eefe3721cd46a40933304129f. As a temporary workaround, restrict access to the zerogod IPP Service component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.7.0 **Description** A reflected Cross-Site Scripting (XSS) issue exists in the 'lista arquivos etapa.php' endpoint. The `id processo` parameter is embedded into the HTML without proper sanitization, allowing the injection of arbitrary JavaScript. This can result in session hijacking, credential theft, or the execution of malicious actions within the victim's browser. **Recommendations** Update to version 3.7.0. As a temporary workaround, restrict access to the 'lista arquivos etapa.php' endpoint or avoid using the `id processo` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** bettercap versions prior to 2.41.6 **Description** A flaw in the MySQL Server component, specifically within the `modules/mysql server/mysql server.go` file, allows a remote attacker to trigger an integer coercion error. Integer coercion occurs when a value is converted from one data type to another, potentially leading to unexpected behavior or crashes. This attack requires a high level of complexity and is difficult to exploit. **Recommendations** Apply patch 0eaa375c5e5446bfba94a290eff92967a5deac9e to resolve the issue. As a temporary workaround, restrict access to the `modules/mysql server/mysql server.go` module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions 0.26.0 through 0.31.7.0 **Description** The auth filter contains commented-out code for checking if a user is deactivated or banned. While the `loggedIn()` function in CodeIgniter Shield verifies the `status` field to identify banned users, it does not re-verify the `active` field for existing sessions. Consequently, if an administrator deactivates a user by setting `active` to 0 after the user has already authenticated, the session cookie remains valid and `auth()->loggedIn()` continues to return `true`. This allows a deactivated user to maintain full backend access until their session expires. **Recommendations** Update to version 0.31.8.0.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions 0.31.1.0 through 0.31.7.0 **Description** The `deleteProcess()` function in the `/backend/themes/delete-process/{slug}` endpoint fails to validate the `tables[]` POST parameter. An authenticated administrator can send a crafted request containing arbitrary table names, which are passed directly to the `$forge->dropTable()` function. This allows the user to delete any table within the database, regardless of whether it belongs to the theme being deleted. This flaw can lead to the loss of critical data, such as user identities and authentication tables, effectively disabling system access. **Recommendations** Update to version 0.31.8.0. As a temporary workaround, restrict access to the `deleteProcess()` function to only the most trusted administrators until the update is applied.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.11.2 **Description** An integer overflow exists in the `userauth password()` function within the src/userauth.c file. This issue occurs due to the incorrect handling of the `username len` and `password len` arguments during SSH password authentication. A remote attacker can exploit this flaw to potentially cause a denial of service. **Recommendations** For versions prior to 1.11.2, apply patch 256d04b60d80bf1190e96b0ad1e91b2174d744b1. As a temporary workaround, restrict the use of the `userauth password()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions 0.26.0.0 through 0.31.6.0 **Description** A theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files within the ZIP are installed into the web-accessible `public/` directory without extension or content filtering, making them directly executable via HTTP. The issue occurs because the `install theme from tmp()` function is called unconditionally, and the helper function in `modules/Theme/Helpers/themes helper.php` copies files using `rename()` without an allowlist, MIME check, or content inspection. Specifically, the endpoint '/backend/themes/upload' is used to upload the file, and the theme name is derived from the filename. Files are also installed without filtering into `app/Controllers/templates/`, `app/Libraries/templates/`, and other `app/` subdirectories. **Recommendations** Update to version 0.31.7.0. As a temporary workaround, restrict access to the '/backend/themes/upload' endpoint or revoke theme-upload permissions for non-administrative users.

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.9 Description WeGIA is a Web manager for charitable institutions. Prior to version 3.6.9, the `redirect` parameter is directly taken from the `$ GET` request without any URL validation or whitelist check. This parameter is then used directly in a `header("Location: ...")` call. This could allow an attacker to redirect users to a malicious website. Recommendations Update WeGIA to version 3.6.9 or later.

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.9 Description The WeGIA application, a web manager for charitable institutions, contains an Open Redirect flaw in the `/WeGIA/controle/control.php` endpoint. The issue stems from insufficient validation of the `nextPage` parameter when used with `metodo=listarTodos` and `nomeClasse=EstoqueControle`, allowing attackers to redirect users to arbitrary external websites. This can be leveraged for phishing attacks, credential theft, malware distribution, and social engineering attacks using the trusted WeGIA domain. Recommendations Update to version 3.6.9 or later.

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.9 Description WeGIA, a Web manager for charitable institutions, is affected by a stored cross-site scripting (XSS) issue. An attacker can inject malicious scripts through a backup filename. Successful exploitation could lead to unauthorized execution of malicious code in the victim’s browser, potentially compromising session data or enabling actions on behalf of the user. Recommendations Update to version 3.6.9 or later.

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.9 Description WeGIA is a Web manager for charitable institutions. An Open Redirect issue exists in the `/WeGIA/controle/control.php` endpoint due to insufficient validation of the `nextPage` parameter when used with `metodo=listarTodos & listarId Nome` and `nomeClasse=OrigemControle`. This allows attackers to redirect users to arbitrary external websites, potentially leading to phishing attacks, credential theft, malware distribution, and social engineering leveraging the trusted WeGIA domain. Recommendations Update WeGIA to version 3.6.9 or later.

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.9 Description WeGIA is a Web manager for charitable institutions. An Open Redirect issue exists in the `/WeGIA/controle/control.php` endpoint through the `nextPage` parameter when used with `metodo=listarId` and `nomeClasse=IsaidaControle`. The application does not properly validate the `nextPage` parameter, potentially redirecting users to malicious external websites. This could be leveraged for phishing, credential theft, malware distribution, and social engineering attacks using the WeGIA domain. Recommendations Update WeGIA to version 3.6.9 or later.

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.9 Description WeGIA is a Web manager for charitable institutions. An open redirect issue exists in the WeGIA web application in versions prior to 3.6.9. The `redirect` parameter is directly taken from the `$ GET` request without any URL validation or whitelist checks, and is then used in a `header("Location: ...")` call. This allows an attacker to redirect users to arbitrary websites. Recommendations Update to version 3.6.9 or later.

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.9 Description The WeGIA application, a web manager for charitable institutions, contains an Open Redirect flaw in the `/WeGIA/controle/control.php` endpoint. The issue stems from insufficient validation of the `nextPage` parameter when used with `metodo=listarId` and `nomeClasse=IentradaControle`, enabling attackers to redirect users to malicious external websites. This could be leveraged for phishing, credential theft, malware distribution, and social engineering attacks using the trusted WeGIA domain. Recommendations Update to version 3.6.9 or later.

**Name of the Vulnerable Software and Affected Versions** Nginx UI versions prior to 2.3.4 **Description** Nginx UI improperly handles URL-encoded traversal sequences in its configuration, potentially leading to a partial Denial of Service. Specifically, specially crafted paths can cause the backend to resolve to the base Nginx configuration directory (/etc/nginx) and execute operations on it. An authenticated user can exploit this to remove the entire /etc/nginx directory. The issue stems from improper path canonicalization, unsafe fallback logic, and an unsafe deletion primitive that recursively removes directories without sufficient safeguards. The vulnerability is triggered by traversal sequences like `..%252F` that bypass initial filters and cause the clamping mechanism to resolve paths to the base configuration directory. The deletion handler then uses `os.RemoveAll` to recursively delete the resolved path. **Recommendations** Update to Nginx UI version 2.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** Nginx UI versions prior to 2.3.4 **Description** An input validation issue in the logrotate configuration allows an authenticated user to cause a Denial of Service (DoS). Submitting a negative integer for the rotation interval causes the backend to enter an infinite loop or an invalid state, making the web interface unresponsive. The issue resides in the handler for the **API Endpoint** `/api/settings`, specifically within the `logrotate.interval` **Vulnerable Parameter**. When a negative value is processed, it triggers a non-terminating loop, consuming CPU resources and preventing the server from handling further requests. **Recommendations** Versions prior to 2.3.4 should be updated to version 2.3.4 or later.