Haxatron

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 116 Firefox ESR versions prior to 102.14 Firefox ESR versions prior to 115.1 **Description** A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This issue is related to incorrect handling of insufficient permissions due to an error in the calculation of the delay of popup notifications, which may allow a remote attacker to conduct clickjacking attacks. **Recommendations** For Firefox versions prior to 116, update to version 116 or later. For Firefox ESR versions prior to 102.14, update to version 102.14 or later. For Firefox ESR versions prior to 115.1, update to version 115.1 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 112 Firefox ESR versions prior to 102.10 Thunderbird versions prior to 102.10 **Description** The issue is related to insufficient protection of internal data when handling the "Save Link As" dialog, allowing an attacker to gain unauthorized access to protected information. This occurs when suggested filenames contain environment variable names, which are resolved in the context of the current user. The vulnerability affects Firefox and Thunderbird on Windows, allowing a remote attacker to access confidential information in the system. **Recommendations** For Firefox versions prior to 112: Update to version 112 or later to resolve the issue. For Firefox ESR versions prior to 102.10: Update to version 102.10 or later to resolve the issue. For Thunderbird versions prior to 102.10: Update to version 102.10 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the "Save Link As" feature with suggested filenames containing environment variable names until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Firefox for Android versions prior to 111 **Description** The issue is related to the fullscreen notification mode in Firefox for Android, where the lack of warnings about potentially dangerous actions when loading downloadable file popups can lead to user confusion or spoofing attacks. This can be exploited by a remote attacker to conduct spoofing attacks. **Recommendations** For Firefox for Android versions prior to 111, update to version 111 or later to resolve the issue. As a temporary workaround, consider avoiding the use of downloadable file popups in fullscreen notification mode until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.4.2 **Description** The issue is related to an open redirect in the webserver's "/confirm" endpoint. **Recommendations** For versions prior to 2.4.2, update to version 2.4.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.4.1 **Description** The issue allows an already authenticated user to continue using the UI or API even after their account has been deactivated. **Recommendations** For versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 105 Firefox ESR versions prior to 102.3 Thunderbird versions prior to 102.3 **Description** The issue is related to the use of files with specific prefixes without proper validation and integrity checks. An attacker, acting remotely, could exploit this to bypass security context restrictions for certain files and overwrite them. By injecting a cookie with special characters, an attacker on a shared subdomain that is not a secure context could set and overwrite cookies from a secure context, leading to session fixation and other attacks. **Recommendations** For Firefox versions prior to 105, update to version 105 or later to resolve the issue. For Firefox ESR versions prior to 102.3, update to version 102.3 or later to resolve the issue. For Thunderbird versions prior to 102.3, update to version 102.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 112 Firefox for Android versions prior to 112 Focus for Android versions prior to 112 **Description** The issue is related to the use of redirects embedded into `sourceMappingUrls`, which could allow navigation to external protocol links in sandboxed iframes without `allow-top-navigation-to-custom-protocols`. This could potentially allow a remote attacker to access and compromise confidential data. **Recommendations** For Firefox versions prior to 112, update to version 112 or later. For Firefox for Android versions prior to 112, update to version 112 or later. For Focus for Android versions prior to 112, update to version 112 or later.

**Name of the Vulnerable Software and Affected Versions** undici versions prior to 5.8.1 **Description** The issue is related to Server-side Request Forgery (SSRF) when an application takes in user input into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1`, it can result in an SSRF as the hostname can change because the specified path parameter is combined with the base URL. For example, using the `undici.request` call with `origin` set to `"http://example.com"` and `pathname` set to `"//127.0.0.1"` will process the request as `http://127.0.0.1/` and send it to `http://127.0.0.1`. The `path` parameter of `undici.request` is vulnerable when user input is passed into it. **Recommendations** To resolve the issue, update to `undici@5.8.1` or later. As a temporary workaround, validate user input before passing it to the `undici.request` call to prevent SSRF attacks.

**Name of the Vulnerable Software and Affected Versions** undici versions prior to 5.7.1 **Description** The issue arises when authorization headers are cleared on cross-origin redirects, but cookie headers remain uncleared. This may lead to accidental leakage of cookies to a 3rd-party site or a malicious attacker who can control the redirection target. By design, `cookie` headers are forbidden request headers, but undici handles headers more liberally than the specification. There are active users using cookie headers in undici, which increases the risk of exploitation. The vulnerability is not exploitable by default if redirections are not enabled, i.e., `maxRedirections: 0`. **Recommendations** For versions prior to 5.7.1, update to version 5.7.1 or later to resolve the issue. As a temporary workaround, consider disabling redirections by setting `maxRedirections: 0` to minimize the risk of exploitation. Avoid using `cookie` headers in undici until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** corenlp (affected versions not specified) **Description** The issue is related to Improper Restriction of XML External Entity Reference. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** corenlp (affected versions not specified) **Description** The issue is related to Improper Restriction of XML External Entity Reference. The `TransformXML()` function uses a `SAXParser` generated from a `SAXParserFactory` with no `FEATURE SECURE PROCESSING` set, allowing for XXE attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** snipe-it (affected versions not specified) **Description** The issue is related to Missing Authorization and Improper Access Control, which may allow unauthorized access. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Wiki.js versions 2.5.263 and earlier Description: The issue concerns stored cross-site scripting through non-image file uploads for file types that can be viewed directly inline in the browser. By creating a malicious file which can execute inline JS when viewed in the browser, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the file is viewed directly by other users. The file must be opened directly by the user and will not trigger directly in a normal Wiki.js page. Recommendations: For Wiki.js versions 2.5.263 and earlier, update to version 2.5.264 or later, which adds an optional force download flag to all non-image file types, preventing the file from being viewed inline in the browser. As a temporary workaround, consider disabling file upload for all non-trusted users to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Wiki.js versions 2.5.263 and earlier Description: The issue concerns stored cross-site scripting through a SVG file upload made via a custom request with a fake MIME type. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack, allowing the attacker to execute malicious JavaScript when the SVG is viewed directly by other users. Scripts do not execute when loaded inside a page via normal `<img>` tags. The malicious SVG can only be uploaded by crafting a custom request to the server with a fake MIME type. Recommendations: For Wiki.js versions 2.5.263 and earlier, update to version 2.5.264, which adds an additional file extension verification check to the optional SVG sanitization step to all file uploads that match the SVG mime type. As a temporary workaround, consider disabling file upload for all non-trusted users.

**Name of the Vulnerable Software and Affected Versions** BookStack versions prior to 21.11.3 **Description** The issue allows a logged-in user with no privileges or a guest user (if public access is enabled) to access the "/search/users/select" AJAX endpoint, which is meant for admins to manage audit logs. This can be used to dump all usernames existing in the BookStack database. Additionally, it can be used to harvest email belonging to a user because BookStack uses the code where(`email`, `like`, `%` . $search . `%`) to search for users based on email. **Recommendations** For versions prior to 21.11.3, update to version 21.11.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/search/users/select" AJAX endpoint to minimize the risk of exploitation. Avoid using the `email` variable in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** bookstack (affected versions not specified) **Description** The issue is related to Improper Access Control. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pterodactyl versions prior to 1.6.6 **Description** Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: "Sending a test email" and "Generating a node auto-deployment token". At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. **Recommendations** For versions prior to 1.6.6, update to version 1.6.6 to address the issue. As a temporary workaround, consider restricting access to the vulnerable endpoints until the update is applied. Users may also optionally manually apply the fixes released in v1.6.6 to patch their own systems.

**Name of the Vulnerable Software and Affected Versions** bookstack (affected versions not specified) **Description** The issue concerns an unrestricted upload of files with dangerous types. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bookstack (affected versions not specified) **Description** The issue is related to Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'. This means that an attacker could potentially access files or directories outside the intended restricted directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.