Duddnr0615K

**Name of the Vulnerable Software and Affected Versions** Portainer Community Edition versions 2.33.0 through 2.33.7 Portainer Community Edition versions 2.39.0 through 2.39.0 Portainer Community Edition versions prior to 2.33.0 **Description** A missing authorization issue in the Custom Template file endpoint "GET /api/custom templates/{id}/file" allows any authenticated user to read the file content of any custom template. This is achieved by enumerating sequential integer IDs in the `id` variable, which bypasses Resource Control access restrictions. The `customTemplateFile()` function retrieves the template by its numeric ID and returns the content without performing an authorization check. Template files may contain sensitive environment-specific values, such as connection strings, API tokens, or registry credentials. **Recommendations** Update to version 2.33.8. Update to version 2.39.1. Upgrade to a supported release. Avoid storing secrets in custom templates by moving sensitive configuration values to environment variables or an external secret store. Review existing custom templates for embedded secrets and rotate any credentials that may have been exposed.

**Name of the Vulnerable Software and Affected Versions** n8n versions prior to 2.14.1 n8n versions prior to 2.13.3 n8n versions prior to 1.123.26 **Description** n8n is a workflow automation platform. A user authenticated with permissions to create or modify workflows could leverage the "Combine by SQL" mode within the Merge node to read local files on the n8n host and potentially achieve remote code execution. The AlaSQL sandbox lacked sufficient restrictions on certain SQL statements, enabling an attacker to access sensitive files on the server or compromise the instance. The vulnerable component is the Merge node and its use of AlaSQL. **Recommendations** Upgrade to n8n version 2.14.1 or later. Upgrade to n8n version 2.13.3 or later. Upgrade to n8n version 1.123.26 or later. If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only. If upgrading is not immediately possible, disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES EXCLUDE` environment variable.

**Name of the Vulnerable Software and Affected Versions** Pterodactyl Panel versions prior to 1.12.1 **Description** A missing authorization check allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with. Authenticated Wings nodes can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes. The Remote API endpoint `/api/remote/servers/{uuid}` fetches a server by UUID and returns its complete configuration without verifying that the requesting node owns the server. The `failure()` and `success()` methods in `ServerTransferController` fetch servers by UUID without verifying node ownership. Missing authorization checks in `ServerInstallController` allow any authenticated Wings node to retrieve egg installation scripts (containing deployment secrets) and manipulate the installation status of servers belonging to other nodes. A compromised Wings node daemon token grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. Triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss. **Recommendations** Update to version 1.12.1 or later.