Giubby84

**Name of the Vulnerable Software and Affected Versions** Arduino Create Agent versions prior to 1.3.3 **Description** The issue affects the endpoint "/v2/pkgs/tools/installed". A user who can perform HTTP requests to the localhost interface, or bypass the CORS configuration, can escalate privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. **Recommendations** For versions prior to 1.3.3, upgrade to version 1.3.3 to resolve the issue. As a temporary workaround, consider restricting access to the "/v2/pkgs/tools/installed" endpoint until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Arduino Create Agent versions prior to 1.3.3 **Description** This issue affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP DELETE request. **Recommendations** For versions prior to 1.3.3, upgrade to version 1.3.3 to resolve the issue. As a temporary workaround, consider restricting access to the `/v2/pkgs/tools/installed` endpoint to minimize the risk of exploitation. Avoid using the endpoint to handle plugin names supplied as user input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Arduino Create Agent versions prior to 1.3.3 **Description** The issue affects the endpoint "/upload" which handles requests with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate their privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. **Recommendations** For versions prior to 1.3.3, upgrade to version 1.3.3 to resolve the issue. As a temporary workaround, consider restricting access to the "/upload" endpoint or disabling it until the upgrade is applied. Avoid using the `filename` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Arduino Create Agent versions prior to 1.3.3 **Description** The issue affects the endpoint "/v2/pkgs/tools/installed" and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. **Recommendations** For versions prior to 1.3.3, upgrade to version 1.3.3 to address the issue. As a temporary workaround, consider restricting access to the "/v2/pkgs/tools/installed" endpoint to minimize the risk of exploitation. Additionally, ensure that the CORS configuration is properly set up to prevent unauthorized access.