Firebasky

**Name of the Vulnerable Software and Affected Versions** Local Deep Research versions prior to 1.6.0 **Description** The `PDFService. markdown to html()` function constructs an HTML document by interpolating user-controlled values directly into an f-string without HTML escaping. Specifically, the `title` variable (sourced from `research.title` or `research.query`) and `metadata` key-value pairs are vulnerable. An authenticated attacker can use the 'POST /api/start research' endpoint to submit a research query containing HTML special characters. When the 'POST /api/v1/research/<research id>/export/pdf' endpoint is called, these characters are injected into the document processed by WeasyPrint during PDF export. This injection can be used to trigger Server-Side Request Forgery (SSRF), a condition where the server is coerced into making unauthorized requests to internal or external resources, bypassing existing defenses in `ssrf validator.py`. This allows access to cloud metadata services (such as 169.254.169.254), internal network services, or localhost administrative interfaces. Additionally, it can lead to CSS injection, allowing an attacker to control the visual content of the PDF, or cause a Denial of Service (DoS) by corrupting the HTML document structure. **Recommendations** Update to version 1.6.0 or later. As a temporary mitigation, restrict access to the 'POST /api/v1/research/<research id>/export/pdf' endpoint for untrusted users.

**Name of the Vulnerable Software and Affected Versions** Roxy-WI versions prior to 8.2.6.4 **Description** The 'haproxy section save' interface allows remote code execution. This is possible through path traversal, which enables writing into scheduled tasks. **Recommendations** Update to version 8.2.6.4.

**Name of the Vulnerable Software and Affected Versions** Roxy-WI versions prior to 8.2.6.4 **Description** An arbitrary file read issue exists in the 'haproxy section save' interface via the `oldconfig` parameter. This allows an attacker to read files from the server that they should not have access to. **Recommendations** Update to version 8.2.6.4. As a temporary workaround, restrict access to the 'haproxy section save' interface or avoid using the `oldconfig` parameter.

**Name of the Vulnerable Software and Affected Versions** Roxy-WI versions prior to 8.2.6.4 **Description** An issue exists in the `haproxy section save()` function within `app/routes/config/routes.py`. The `server ip` parameter, which is sourced from the URL path, is passed unsanitized and interpolated into a SQL query string using Python string formatting. This allows attackers to execute arbitrary SQL commands via SQL injection, a technique where malicious SQL statements are inserted into entry fields for execution.** **Recommendations** Update to version 8.2.6.4.

**Name of the Vulnerable Software and Affected Versions** Roxy-WI versions prior to 8.2.6.4 **Description** The '/config/<service>/find-in-config' endpoint fails to sanitize the `words` parameter before embedding it into a shell command string executed on a remote managed server via SSH. An authenticated attacker can inject shell metacharacters to bypass the intended grep command and execute arbitrary OS commands with sudo privileges, leading to Remote Code Execution (RCE), which is the ability to execute any command on a target machine remotely. **Recommendations** Update to version 8.2.6.4.