Decsecre583

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches.

**Name of the Vulnerable Software and Affected Versions** Admidio versions prior to 5.0.9 **Description** An incomplete fix for Server-Side Request Forgery (SSRF) in the `fetch metadata.php` file allows for DNS rebinding. The system validates the resolved IP address but passes the original hostname-based URL to the `curl init()` function. This creates a Time-of-Check to Time-of-Use (TOCTOU) window—a race condition where a system checks a condition and then uses the result, but the condition changes in between—allowing requests to be redirected to internal IP addresses. Specifically, the `gethostbyname()` function is used for validation, but because `CURLOPT RESOLVE` is not set to pin the hostname to the validated IP, cURL resolves the hostname again independently. This can be exploited to access internal services, such as the instance metadata service at `169.254.169.254` on cloud-hosted instances to steal IAM credentials, or to scan internal networks and localhost services in on-premise deployments. **Recommendations** Update to version 5.0.9. As a temporary workaround, restrict access to the `fetch metadata.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions prior to 4.6.9 **Description** Insufficient command handling in the `parse mcp command()` function allows for arbitrary code execution. The function fails to implement a command allowlist or argument validation, enabling executables such as `bash`, `python`, or `/bin/sh` with inline code execution flags to be passed directly to subprocess execution. This issue exists within the `MCPHandler.parse mcp command()` method located in `src/praisonai/praisonai/cli/features/mcp.py`. **Recommendations** Update to version 4.6.9. As a temporary workaround, restrict access to the `parse mcp command()` function or the MCP module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions 24.10.0 through 26.1.1 **Description** LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring tool, has an issue where the `unit` parameter in the Custom OID functionality is not properly sanitized. Specifically, it lacks `strip tags()` sanitization, unlike other fields such as `name`, `oid`, and `datatype`. This allows for the storage of unsanitized values in the database, which are then rendered without HTML escaping. This can lead to Stored Cross-Site Scripting (XSS). The issue is present in the `includes/html/forms/customoid.inc.php` file (lines 18-21) where the `unit` parameter is directly assigned from the `$ POST` array without sanitization, and in `graphs/customoid.inc.php` (lines 13-20) where the value is echoed without escaping. A proof-of-concept (PoC) demonstrates the vulnerability using various XSS payloads. Exploitation involves a user with device edit permissions setting a malicious `unit` value, which then executes for all users viewing device graphs. Potential consequences include session hijacking, admin account takeover, and malicious actions performed on behalf of victims. **Recommendations** LibreNMS versions 24.10.0 through 26.1.1 should be updated to version 26.2.0 or later.