Huajihd

**Name of the Vulnerable Software and Affected Versions** GLPI versions 0.78 through 10.0.24 GLPI versions 0.78 through 11.0.6 **Description** A technician can delete arbitrary files from the filesystem, provided the webserver has write permissions for those files. **Recommendations** Update to version 10.0.25. Update to version 11.0.7.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 0.78 through 10.0.24 GLPI versions 0.78 through 11.0.6 **Description** An authenticated user with config READ permission can read a specific asset object. **Recommendations** Upgrade to version 10.0.25. Upgrade to version 11.0.7.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 0.50 through 10.0.24 GLPI versions 0.50 through 11.0.6 **Description** A technician can read arbitrary files located within the `GLPI DOC DIR` directory. **Recommendations** Update to version 10.0.25. Update to version 11.0.7.

NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlled `post` ID and returns its content. The backend helper in `modules/Forum/classes/Forum.php` does not enforce forum or topic ACLs. In contrast, the normal topic page in `modules/Forum/pages/forum/view topic.php` enforces forum visibility and `view other topics`. Any low-privileged authenticated user can enumerate post IDs and read content from hidden, private, or staff-only forums. Version 2.2.5 fixes the issue.

**Name of the Vulnerable Software and Affected Versions** NamelessMC version 2.2.4 **Description** In the `modules/Forum/classes/ForumPostReactionContext.php` file, the software verifies if a caller can view the forum but fails to enforce the topic-level `view other topics` authorization. This allows users who are restricted to viewing only their own topics to read and modify reactions on topics belonging to other users. **Recommendations** Update to version 2.2.5.

**Name of the Vulnerable Software and Affected Versions** NamelessMC versions prior to 2.2.5 **Description** The profile page located at 'modules/Core/pages/profile.php' processes wall post submissions and replies before verifying if the viewer is authorized to access the profile. This allows users with the `profile.post` permission to write wall posts to profiles that are private or have blocked them. Furthermore, the reply mechanism fails to verify that the target wall post belongs to the current profile, which enables attackers to inject replies into wall posts owned by other profiles using a restricted profile URL. **Recommendations** Update to version 2.2.5.

**Name of the Vulnerable Software and Affected Versions** NamelessMC version 2.2.4 **Description** NamelessMC is website software for Minecraft servers. The software fails to enforce blocked or private profile visibility in `core/classes/Misc/ProfilePostReactionContext.php`, verifying only that the wall post exists. Additionally, the endpoint "modules/Core/queries/reactions.php" allows unauthenticated GET requests for reaction details. This allows unauthenticated visitors to read reaction participants and timestamps for private profile posts, and enables authenticated low-privileged users to add reactions to private or blocking profile posts. **Recommendations** Update to version 2.2.5.

**Name of the Vulnerable Software and Affected Versions** NamelessMC version 2.2.4 **Description** NamelessMC is website software for Minecraft servers. In the file `core/classes/Misc/ProfilePostReactionContext.php`, the system only verifies the existence of a wall post without enforcing visibility restrictions for blocked or private profiles. This allows authenticated low-privileged users to add reactions to posts on profiles that have blocked them or are set to private. **Recommendations** Update to version 2.2.5.

**Name of the Vulnerable Software and Affected Versions** Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 **Description** Missing authorization in the system API endpoint allows authenticated users to access sensitive information. Specifically, the '/api/system' endpoint leaks the installed Kirby version and the status, type, and code of the installed license to users who lack the `access.system` permission. This information can be utilized by malicious actors during reconnaissance to plan further attacks. **Recommendations** Update to version 4.9.0 or later. Update to version 5.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 **Description** Missing authorization allows authenticated Panel users to access site, user, and role information without proper permission gating. This occurs because permission settings for the site model, users, and user roles were not implemented, meaning that even if a developer disabled all permissions using the `"*": false` setting, these specific actions remained accessible. The affected areas include the ability to list and access the site model, as well as viewing user and role details, including names, descriptions, and configured permissions. Specifically, the missing permissions were `site.access`, `user.access`, `users.access`, `user.list`, and `users.list`. **Recommendations** Update to version 4.9.0 or later. Update to version 5.4.0 or later.

Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8.

**Name of the Vulnerable Software and Affected Versions** Saloon versions prior to 4.0.0 **Description** Saloon is a PHP library used for building API integrations and SDKs. Prior to version 4.0.0, the library lacked validation when constructing file paths from fixture names. This allowed names containing path segments, such as `../traversal` or `../../etc/passwd`, to create paths outside the intended fixture directory. Consequently, reading or writing fixtures could lead to unauthorized file access or modification anywhere the process had permissions. If the fixture name originated from user-controlled input, such as request parameters or configuration settings, this constituted a path traversal issue. The fix implemented in version 4.0.0 introduces validation in the fixture layer, rejecting names with characters like `/`, ``, `..`, or null bytes, and restricting the character set to safe options. Additionally, a defense-in-depth mechanism was added to the storage layer to ensure resolved paths remain within the base directory before any read or write operation. **Recommendations** Upgrade to Saloon version 4.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Saloon versions prior to 4.0.0 **Description** Saloon is a PHP library used for building API integrations and SDKs. A flaw exists where the library combines a connector's base URL with a request endpoint. If the endpoint is a valid absolute URL, Saloon uses that URL directly, bypassing the base URL and any associated authentication mechanisms. This allows attackers to potentially perform server-side request forgery (SSRF) and leak credentials to a host they control if the endpoint is influenced by user input or configuration parameters like redirect uri or callback URL. The `URLHelper::join()` function does not validate the endpoint, leading to this behavior. **Recommendations** Upgrade to Saloon version 4.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** MacCMS versions prior to 2025.1000.4052 **Description** A weakness exists in MacCMS that allows authorization bypass. This issue affects the `order info` function within the `application/index/controller/User.php` file, specifically within the Member Order Detail Interface. Manipulation of the `order id` argument can lead to unauthorized access. The exploit for this issue has been publicly released and could be used for remote attacks. **Recommendations** Update MacCMS to version 2025.1000.4052 or later. As a temporary workaround, restrict access to the `order info` function within the `application/index/controller/User.php` file. Avoid using the `order id` parameter in the affected interface until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MacCMS version 2025.1000.4052 **Description** A security flaw exists in MacCMS that allows for missing authentication. The issue is located in the file `application/api/controller/Timming.php` within the Timming API Endpoint component. The attack can be performed remotely. The exploit has been publicly released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** league/commonmark versions 2.3.0 through 2.8.1 **Description** The `DomainFilteringAdapter` within the Embed extension is susceptible to an allowlist bypass because of a missing hostname boundary assertion in the domain-matching regular expression. A malicious domain, such as `youtube.com.evil`, can pass the allowlist check when `youtube.com` is a permitted domain. This allows for two potential attack vectors: Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS). The `OscaroteroEmbedAdapter` makes server-side HTTP requests to the embed URL, and a bypassed domain filter could lead to requests to attacker-controlled hosts. The `EmbedRenderer` outputs the oEmbed response HTML directly into the page without sanitization, allowing an attacker controlling the bypassed domain to return arbitrary HTML/JavaScript. **Recommendations** Update to version 2.8.2 or later. Disable the Embed extension. Provide a custom domain-filtering implementation of `EmbedAdapterInterface`. Enable a Content Security Policy (CSP) and outbound firewall restrictions.