Drkim-Dev

**Name of the Vulnerable Software and Affected Versions** Trilium Notes versions prior to 0.102.2 **Description** Trilium Notes contains a flaw where the lack of SVG sanitization, a disabled Content Security Policy (CSP), and a publicly reachable backend execution API allow for unauthenticated Remote Code Execution (RCE). The application serves SVG attachments with the `image/svg+xml` MIME type without sanitization and disables the Content Security Policy middleware, which removes defenses against script execution in served assets. Due to the Same-Origin Policy, a malicious SVG can extract the `csrfToken` from the document body via a `fetch('/')` request. This token can then be used to send a signed request to the '/api/script/exec' endpoint to execute arbitrary Node.js code on the server. An attacker can compromise the server instance by tricking an authenticated user into viewing a shared SVG attachment. **Recommendations** Update to version 0.102.2.

**Name of the Vulnerable Software and Affected Versions** Trilium Notes versions prior to 0.102.2 **Description** Trilium Notes is a hierarchical note taking application. In an Electron environment, the Clipper API explicitly disables authentication middleware, allowing a full authentication bypass. This exposes endpoints such as '/api/clipper/notes' to the network without requiring a password, API token, or Cross-Site Request Forgery (CSRF) protection—a mechanism used to prevent unauthorized commands from being transmitted from a user the web application trusts. An attacker on a shared network can identify instances by scanning high-range ports and sending an unauthenticated request to the Clipper handshake endpoint, which returns the application name and protocol version. This can lead to unauthorized data access, phishing, and local system compromise. **Recommendations** Update to version 0.102.2.

**Name of the Vulnerable Software and Affected Versions** ClipBucket versions prior to 5.5.3 #80 **Description** ClipBucket is an open source video sharing platform. An authenticated time-based blind SQL injection issue exists due to insufficient input sanitization of the `userid` parameter within the `actions/ajax.php` endpoint. An authenticated attacker can execute arbitrary SQL queries, potentially leading to full database disclosure and administrative account takeover. **Recommendations** Update ClipBucket to version 5.5.3 #80.

**Name of the Vulnerable Software and Affected Versions** Appsmith versions prior to 1.96 **Description** Appsmith is a platform used to build admin panels, internal tools, and dashboards. A critical stored cross-site scripting (XSS) issue exists in the Table Widget (TableWidgetV2) due to insufficient HTML sanitization within the React component rendering process. This allows malicious attributes to be inserted into the Document Object Model (DOM). An attacker with a standard user account can exploit the "Invite Users" feature to compel a System Administrator to execute a privileged **API endpoint** '/api/v1/admin/env', leading to a full administrative account takeover. The issue is caused by a lack of HTML sanitization in the React component rendering pipeline. **Recommendations** Update to version 1.96 or later.

**Name of the Vulnerable Software and Affected Versions** Tandoor Recipes versions prior to 2.5.1 **Description** Tandoor Recipes is an application used for recipe management, meal planning, and shopping list creation. A Blind Server-Side Request Forgery (SSRF) exists in the Cookmate recipe import feature prior to version 2.5.1. The application does not properly validate the destination URL after HTTP redirects, enabling authenticated users to make the server connect to arbitrary internal or external resources. The issue resides in the `cookbook/integration/cookmate.py` file, within the Cookmate integration class. This can be used to scan internal network ports, access cloud instance metadata, or reveal the server’s real IP address. The vulnerable function is `Cookmate`. **Recommendations** Update Tandoor Recipes to version 2.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** Tandoor Recipes versions prior to 2.5.1 **Description** Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A path traversal flaw exists in the RecipeImport workflow. This issue is due to inadequate input validation of the `file path` parameter and insufficient checks within the Local storage backend. This allows authenticated users with import permissions to read arbitrary files on the server, potentially including sensitive system files like /etc/passwd or application configuration files such as settings.py, which could lead to a full system compromise. **Recommendations** Update Tandoor Recipes to version 2.5.1.

**Name of the Vulnerable Software and Affected Versions** Kanboard versions prior to 1.2.50 **Description** Kanboard is project management software based on the Kanban methodology. A security control bypass allows an authenticated administrator to achieve Remote Code Execution (RCE). The application does not properly verify a security setting, allowing an attacker to force the server to download and install a malicious plugin, leading to arbitrary code execution. The vulnerable endpoint bypasses the PLUGIN INSTALLER configuration when set to false. **Recommendations** Update to version 1.2.50 or later.