Denizparlak

**Name of the Vulnerable Software and Affected Versions** 2FAuth versions prior to 6.1.0 **Description** 2FAuth is a web application designed for managing Two-Factor Authentication (2FA) accounts and generating security codes. A blind Server-Side Request Forgery (SSRF) issue exists in versions prior to 6.1.0, allowing authenticated users to send arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The `image` parameter within the OTP URL is not adequately validated for internal or private IP addresses before HTTP requests are initiated. Although a previous fix implemented response validation to ensure only valid images are stored, the HTTP request to arbitrary URLs still occurs before this validation step. This allows attackers to potentially access sensitive information or interact with internal resources. **Recommendations** Versions prior to 6.1.0 should be updated to version 6.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 3.0.20 **Description** BigBlueButton is a virtual classroom platform. Versions of the 3.x branch before 3.0.20 contain an Open Redirect issue. The `errorRedirectUrl` string is not properly validated, and is directly used in the `respondWithRedirect` function. This allows for redirection to a malicious URL. **Recommendations** Update to version 3.0.20 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 8.0.0 **Description** OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0, the Eye Exam form module allows an authenticated user to be redirected to an arbitrary external URL. This could be used for phishing attacks targeting healthcare providers. The `Eye Exam form module` is the component affected. **Recommendations** Update to version 8.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 11.14.1 **Description** A timing-based user enumeration issue exists in the password reset functionality. Providing an invalid `reset url` parameter results in differing response times – approximately 500ms – between existing and non-existing users, allowing for reliable user enumeration. The password reset endpoint attempts to implement timing protection, but URL validation occurs before this protection is applied, enabling the identification of valid user accounts based on response times. This issue compromises user privacy and could facilitate targeted phishing attacks by confirming account existence. **Recommendations** Update to version 11.14.1 or later.

**Name of the Vulnerable Software and Affected Versions** LobeChat versions prior to 2.0.0-next.193 **Description** LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, the `knowledgeBase.removeFilesFromKnowledgeBase` tRPC endpoint allows authenticated users to delete files from any knowledge base without proper ownership verification. The `userId` filter in the database query is commented out, enabling attackers to delete other users' knowledge base files if they know the knowledge base ID and file ID. Practical exploitation requires knowing the target's knowledge base ID and file ID, which may leak through shared links, logs, or referrer headers. This missing authorization check is a critical security flaw. **Recommendations** Upgrade to version 2.0.0-next.193 to receive a patch.

**Name of the Vulnerable Software and Affected Versions** Arcane versions prior to 1.13.0 **Description** Arcane’s updater service allows defining commands to run before or after container updates using lifecycle labels `com.getarcaneapp.arcane.lifecycle.pre-update` and `com.getarcaneapp.arcane.lifecycle.post-update`. The value of these labels is passed directly to `/bin/sh -c` without proper validation, creating a command injection issue. Any authenticated user can create projects via the API and specify malicious commands within these lifecycle labels. When an administrator triggers a container update, Arcane executes the command within the container. If the container has host volume mounts, the executed command may access the host filesystem, potentially leading to data theft or full host compromise if sensitive paths like `/var/run/docker.sock` are mounted. The issue enables remote code execution (RCE) within the container context. **Recommendations** Versions prior to 1.13.0 should be updated to version 1.13.0 or later.

**Name of the Vulnerable Software and Affected Versions** AnythingLLM (affected versions not specified) **Description** AnythingLLM is an application designed to provide context for Large Language Models (LLMs). Prior to commit `e287fab56089cf8fcea9ba579a3ecdeca0daa313`, the password recovery functionality exposed different error messages based on the existence of a username, allowing for username enumeration. The `/password-recovery` API endpoint was vulnerable to this issue. This allowed an attacker to determine valid usernames by observing the response to requests with different `username` values. **Recommendations** Update to a version after commit `e287fab56089cf8fcea9ba579a3ecdeca0daa313`.

**Name of the Vulnerable Software and Affected Versions** Bagisto versions prior to 2.3.10 **Description** An Insecure Direct Object Reference issue exists in the customer order reorder function. This allows authenticated customers to add items from another customer's order to their own shopping cart by manipulating the `order ID` parameter. This can expose sensitive purchase information and potentially enable fraud. **Recommendations** Update to version 2.3.10 or later.