G3Xar

**Name of the Vulnerable Software and Affected Versions** Taskosaur version 1.0.0 **Description** Taskosaur is an open source project management platform with conversational AI for task execution within the application. The application does not properly validate or restrict the `role` parameter during the user registration process. An attacker can manually modify the request payload to assign themselves elevated privileges. The backend does not enforce role assignment restrictions or ignore client-supplied `role` parameters, allowing the server to accept the manipulated value and create an account with `SUPER ADMIN` privileges. This enables any unauthenticated attacker to register a fully privileged administrative account. The vulnerable parameter is `role`. **Recommendations** Versions prior to 1.0.0 are not affected. For version 1.0.0, properly validate and restrict the `role` parameter during the user registration process to prevent unauthorized privilege escalation.

**Name of the Vulnerable Software and Affected Versions** HomeBox versions prior to 0.24.0-rc.1 **Description** HomeBox is a home inventory and organization system. A stored cross-site scripting (XSS) issue exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript. Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. The vulnerable functionality involves the upload of attachments. **Recommendations** Update to version 0.24.0-rc.1 or later.

**Name of the Vulnerable Software and Affected Versions** HomeBox versions prior to 0.24.0-rc.1 **Description** HomeBox is a home inventory and organization system. The notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. There is no validation applied to the supplied host, IP address, or port. The application’s user interface behavior differs based on the network state of the destination, creating a behavioral side-channel that enables internal service enumeration. The application does not return the response body from the target service. **Recommendations** Update to version 0.24.0-rc.1 or later.

**Name of the Vulnerable Software and Affected Versions** Initiative versions prior to 0.32.4 **Description** Initiative, a self-hosted project management platform, does not invalidate previously issued JWT access tokens after a user changes their password. This allows older tokens to remain valid until their expiration, enabling continued authenticated access to protected API endpoints even after a password update. The vulnerable component is related to JWT (JSON Web Token) access token handling. **Recommendations** Update to version 0.32.4 or later.

**Name of the Vulnerable Software and Affected Versions** Initiative versions prior to 0.32.4 **Description** Initiative is a self-hosted project management platform vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Users with upload permissions within the "Initiatives" section can upload malicious `.html` or `.htm` files. These files are served under the application’s origin without proper sandboxing, allowing embedded JavaScript to execute in the application’s context. This can lead to the exfiltration of authentication tokens, session cookies, or other sensitive data to an attacker-controlled server. Sharing the direct file link may also result in the execution of the malicious script when accessed. **Recommendations** Upgrade to version 0.32.4 or later.

**Name of the Vulnerable Software and Affected Versions** Flare versions 1.7.0 and below **Description** Flare, a Next.js-based file sharing platform, is susceptible to a stored Cross-Site Scripting (XSS) issue. The platform does not properly validate or sanitize uploaded files. An attacker can embed malicious JavaScript within an SVG, HTML, or XML file. When a user views the file in “raw” mode, the embedded script executes in the application's context, potentially allowing for the exfiltration of user data. The vulnerability occurs due to insufficient content validation during file uploads. **Recommendations** Update to Flare version 1.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** Formwork versions 2.0.0 through 2.3.3 **Description** Formwork is a flat file-based Content Management System (CMS). The application does not properly enforce role-based authorization during account creation. Specifically, it does not verify if the current user has the necessary privileges to assign highly privileged roles, such as admin. This allows an authenticated user with the editor role to create a new account with administrative privileges, resulting in full administrative access and potential compromise of the CMS. **Recommendations** Update to version 2.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** Slink version 1.4.9 **Description** Slink version 1.4.9 allows stored cross-site scripting (XSS) through crafted SVG uploads. When a user views the shared image in a new browser tab, the embedded JavaScript executes. This issue affects both authenticated and unauthenticated users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.