Dolev Farhi

WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field duplication payloads to trigger server out-of-memory conditions and MySQL connection errors.

**Name of the Vulnerable Software and Affected Versions** VirtualTablet Server version 3.0.2 **Description** A denial of service issue exists where attackers can crash the service by sending oversized string payloads via the Thrift protocol. This is achieved by sending a long string to the `send say()` method, causing the server to become unresponsive. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dirsearch version 0.4.1 **Description** Dirsearch version 0.4.1 has a flaw where the use of the `--csv-report` flag can lead to CSV injection. This occurs because attackers can inject formulas through redirected endpoints. By crafting malicious server redirects with comma-separated paths containing Excel formulas, attackers can manipulate the generated CSV report. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Knockpy version 4.1.1 **Description** Knockpy 4.1.1 has a flaw where malicious formulas can be inserted into CSV reports due to unfiltered server headers. An attacker can manipulate server response headers to include spreadsheet formulas that will run when the CSV file is opened in spreadsheet software. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hasura GraphQL version 1.3.3 **Description** Hasura GraphQL version 1.3.3 contains a remote code execution issue. Attackers can execute arbitrary shell commands through SQL query manipulation. The issue allows command injection into the `run sql` endpoint by crafting malicious GraphQL queries. Exploitation involves using PostgreSQL's `COPY FROM PROGRAM` functionality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hasura GraphQL version 1.3.3 **Description** The software is susceptible to a denial of service condition. Attackers can exploit this by sending specially crafted GraphQL queries containing deeply nested fields. These queries are designed to consume significant server resources, potentially leading to service disruption or crashes. Repeated requests with long query strings and multiple threads can exacerbate the impact. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hasura GraphQL version 1.3.3 **Description** Hasura GraphQL version 1.3.3 has a local file read issue. Attackers can access system files through SQL injection in the query endpoint. Exploitation involves the `pg read file()` PostgreSQL function via crafted SQL queries to read arbitrary files on the server. The vulnerable endpoint is '/api/v1/query'. The vulnerable function is `pg read file()`. The vulnerable parameter is the SQL query itself. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the query endpoint '/api/v1/query' to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hasura GraphQL version 1.3.3 **Description** A server-side request forgery issue exists in Hasura GraphQL. Attackers can inject arbitrary remote schema URLs through the `add remote schema` endpoint. Exploitation involves sending crafted POST requests to the `/v1/query` endpoint with malicious URL definitions, potentially allowing access to internal network resources. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `add remote schema` endpoint.

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.1.2 Description: The issue affects the logging server in Apache Airflow, which has no authentication and allows reading log files of DAG jobs when remote logging is not used. This could potentially expose sensitive information. Recommendations: For versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the logging server or disabling it when not in use to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Flask-AppBuilder versions 3.2.3 and earlier **Description** The issue allows a non-authenticated user to enumerate existing accounts by timing the response time from the server when logging in. This is due to user enumeration in database authentication in Flask-AppBuilder. **Recommendations** For versions 3.2.3 and earlier, upgrade to version 3.3.0 or higher to resolve the issue. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: GNU Wget versions prior to 1.21.2 Description: The issue arises when GNU Wget does not omit the Authorization header upon a redirect to a different origin. Recommendations: For GNU Wget versions prior to 1.21.2, update to version 1.21.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** M/Monit version 3.7.4 **Description** An authentication issue exists that allows authenticated attackers to retrieve user password hashes. Attackers can send requests to the `/api/1/admin/users/list` and `/api/1/admin/users/get` API endpoints to extract MD5 password hashes for all users. The vulnerable parameters involved in this issue are not specified. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `/api/1/admin/users/list` and `/api/1/admin/users/get` API endpoints.

**Name of the Vulnerable Software and Affected Versions** M/Monit version 3.7.4 **Description** An authenticated user can escalate privileges by manipulating the `admin` parameter. An attacker can send a crafted POST request to the `/api/1/admin/users/update` endpoint to grant administrative access to a standard user account. The vulnerable parameter is `admin`. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `/api/1/admin/users/update` endpoint.

**Name of the Vulnerable Software and Affected Versions** Monitorix versions prior to 3.10.1 **Description** The issue allows for XSS via CGI variables, which can lead to malicious script execution. **Recommendations** For versions prior to 3.10.1, update to version 3.10.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ntopng (aka ntop) versions prior to 2.2 **Description** The issue allows remote authenticated users to change the login context and gain privileges. This is achieved via the `username` parameter to the "admin/password reset.lua" endpoint. **Recommendations** For versions prior to 2.2, update to version 2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/password reset.lua" endpoint to minimize the risk of exploitation. Avoid using the `username` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Opsview versions 4.6.2 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a crafted check plugin, the description in a host profile, or the `plugin args` parameter to a Test service check page. **Recommendations** For Opsview versions 4.6.2 and earlier, as a temporary workaround, consider restricting access to the Test service check page and avoid using the `plugin args` parameter until a fix is available. Additionally, limit the ability to create or modify check plugins and host profiles to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** M/Monit versions 3.3.2 and earlier **Description** The issue allows remote attackers to change the password of other users and gain privileges via the `fullname` and `password` parameters. **Recommendations** For M/Monit versions 3.3.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** M/Monit versions 3.3.2 and earlier **Description** A cross-site request forgery issue allows remote attackers to hijack administrator authentication for requests that change user passwords. This is achieved via the `fullname` and `password` parameters to the "/admin/users/update" API endpoint. **Recommendations** For M/Monit versions 3.3.2 and earlier, as a temporary workaround, consider restricting access to the "/admin/users/update" API endpoint until a patch is available. Avoid using the `fullname` and `password` parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LogAnalyzer versions prior to 3.6.6 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection can occur via the hostname in index.php or detail.php. **Recommendations** For versions prior to 3.6.6, update to version 3.6.6 or later to resolve the issue. As a temporary workaround, consider restricting access to index.php and detail.php to minimize the risk of exploitation. Avoid using the hostname parameter in these API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Red Hat sos versions 1.7 and earlier **Description** The issue concerns the sosreport in Red Hat sos, which generates an archive that may contain cleartext passwords in the fstab file. This archive lacks a warning about reviewing its contents to detect included passwords. As a result, remote attackers might obtain sensitive information by accessing a technical-support data stream. **Recommendations** For Red Hat sos versions 1.7 and earlier, review the archive generated by sosreport for cleartext passwords in the fstab file and remove or secure any sensitive information before sharing the archive. Consider adding a warning to review the archive for included passwords to prevent unintended disclosure of sensitive information.