Dos-M0Nk3Y

Name of the Vulnerable Software and Affected Versions: Adapt Learning Adapt Authoring Tool versions <= 0.11.3 Description: The issue is related to incorrect access control, allowing attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. This occurs due to a flaw in permission verification logic, where the wildcard character in permitted URLs grants unintended access to endpoints restricted to users with Super Admin roles, making it possible for attackers to disclose the email addresses of all users. Recommendations: For Adapt Learning Adapt Authoring Tool versions <= 0.11.3, update to a version that fixes the permission verification logic flaw to prevent unintended access to restricted endpoints. As a temporary workaround, consider restricting access to the "Get users" feature to only Super Admin roles until a patch is available.

Name of the Vulnerable Software and Affected Versions: Adapt Learning Adapt Authoring Tool versions <= 0.11.3 Description: A NoSQL injection issue allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. This occurs due to insufficient validation of user input used as a query in Mongoose's find() function, enabling a full takeover of the administrator account. Attackers can then upload a custom plugin to perform remote code execution (RCE) on the server hosting the web application. Recommendations: For Adapt Learning Adapt Authoring Tool versions <= 0.11.3, update to a version greater than 0.11.3 to resolve the issue. As a temporary workaround, consider restricting access to the "Reset password" feature until a patch is available. Additionally, restrict the ability to upload custom plugins to minimize the risk of remote code execution.

**Name of the Vulnerable Software and Affected Versions** AquilaCMS versions 1.409.20 and prior **Description** The issue arises from insufficient validation of user input, which is processed as a regular expression to find duplicate email addresses via the "Add a user" feature, allowing unauthenticated attackers to obtain email addresses. **Recommendations** For versions 1.409.20 and prior, as a temporary workaround, consider restricting access to the "Add a user" feature until a patch is available. Additionally, ensure that user input is thoroughly validated to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AquilaCMS versions 1.409.20 and prior **Description** A NoSQL injection issue allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. **Recommendations** For versions 1.409.20 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.