Iconnnjka

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 26.0 **Description** A Server-Side Request Forgery (SSRF) vulnerability exists in the `plugin/Live/standAloneFiles/saveDVR.json.php` file of AVideo Live plugin when deployed in standalone mode. The `$ REQUEST['webSiteRootURL']` parameter is used directly to construct a URL fetched server-side via `file get contents()` without authentication, origin validation, or URL allowlisting. This allows an attacker to potentially access internal network resources, cloud metadata endpoints, and bypass authentication by redirecting the verification check to an attacker-controlled server. The vulnerability resides in lines 5-28 of the affected file. The `$ REQUEST['webSiteRootURL']` parameter is attacker-controlled and used in a `file get contents()` call without proper validation. The verification bypass allows an attacker to control the processing flow, and the allowed colon character in the regex on the `$key` variable could be leveraged for further exploitation. **Recommendations** Versions prior to 26.0: Remove the user-controlled `webSiteRootURL` fallback entirely, or if it must remain for backward compatibility, validate it against a strict allowlist. Apply `escapeshellarg()` to all variables used in `exec()` calls, including `$DVRFileTarget` and `$tmpDVRDir`.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 26.0 **Description** AVideo, an open source video platform, contains an unauthenticated SQL injection flaw in the `objects/category.php` file within the `getAllCategories()` method. The `doNotShowCats` request parameter undergoes insufficient sanitization, only stripping single quotes, which is easily bypassed using backslash escaping. This parameter is also not covered by the application's global input filters. Exploitation involves crafting a malicious request to manipulate SQL queries, potentially leading to full database access, data modification, or even remote code execution. The vulnerability resides in the way the `doNotShowCats` parameter is handled and concatenated into SQL queries without proper sanitization or the use of parameterized queries. The flaw allows attackers to inject arbitrary SQL code by exploiting the incomplete sanitization and lack of global filter coverage. **Recommendations** Versions prior to 26.0: Upgrade to version 26.0 or later to address the vulnerability. As a temporary workaround, consider disabling the affected functionality or restricting access to the `objects/category.php` file. Alternatively, implement parameterized queries to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** File Browser versions 2.61.2 and below **Description** File Browser, a file managing interface, has an issue where an authenticated user with Create or Rename permissions can bypass administrator-configured deny rules. This is due to the order in which path validation and cleaning occur. The destination path is validated against access rules before being cleaned, and the actual file operation cleans the path afterward, resolving '..' sequences into a different effective path. This allows users to inject '..' sequences in the destination parameter of a PATCH request to write or move files to protected paths within their scope. The issue resides in the `resourcePatchHandler` within `http/resource.go`. The rules engine uses literal string prefix matching or regex matching against the raw path, while the file operation calls `path.Clean()` which resolves '..' sequences. This does not allow escaping the user's BasePathFs scope or reading from restricted paths. **Recommendations** Versions prior to 2.62.0 are affected. Update to version 2.62.0 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions 3.6.0 and below **Description** SiYuan, a personal knowledge management system, contains an authorization bypass that allows authenticated users, including those with the Reader role, to execute arbitrary SQL statements against the application's database via the `/api/search/fullTextSearchBlock` endpoint. This occurs when the `method` parameter is set to 2, causing the endpoint to pass user-supplied input directly as a raw SQL statement to the underlying SQLite database without proper authorization or read-only checks. The dedicated SQL endpoint, `/api/query/sql`, correctly enforces authorization, but the search endpoint bypasses these controls. This allows for potential confidentiality, integrity, and availability breaches, including the ability to read sensitive data, modify or delete data, and even drop tables. The `query` parameter is the vulnerable input. The vulnerable code path involves passing the `query` string directly to the `searchBySQL()` function, which then executes the SQL statement using Go's `database/sql` package. **Recommendations** Versions prior to 3.6.1 are affected. Apply version 3.6.1 or later to resolve this issue. As a temporary workaround, restrict access to the `/api/search/fullTextSearchBlock` endpoint. If upgrading is not immediately possible, add `CheckAdminRole` and `CheckReadonly` middleware to the `/api/search/fullTextSearchBlock` endpoint. Alternatively, implement validation to ensure only SELECT statements are executed when the `method` parameter is set to 2 and the user is not an administrator.

**Name of the Vulnerable Software and Affected Versions** Runtipi versions prior to 4.8.1 **Description** Runtipi is a personal homeserver orchestrator. The `/api/auth/verify-totp` endpoint lacks rate limiting, attempt counting, or account lockout mechanisms. An attacker with valid user credentials obtained through methods like phishing or credential stuffing can brute-force the 6-digit TOTP code, bypassing two-factor authentication. The TOTP verification session lasts 24 hours, allowing for exhaustive testing of the 1,000,000 possible codes. At a request rate of approximately 500 requests per second, a successful attack can take around 33 minutes. The vulnerable parameter is the TOTP code submitted to the `/api/auth/verify-totp` endpoint. **Recommendations** Versions prior to 4.8.1 should be updated to version 4.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** OneUptime versions prior to 10.0.21 **Description** OneUptime is a solution for monitoring and managing online services. A path traversal issue exists in the `/workflow/docs/:componentName` API endpoint, allowing unauthenticated reading of arbitrary files from the server filesystem. The `componentName` route parameter is directly concatenated into a file path and passed to the `res.sendFile()` function within the `orker/FeatureSet/Workflow/Index.ts` file without any sanitization or authentication checks. **Recommendations** Update to version 10.0.21 or later.

**Name of the Vulnerable Software and Affected Versions** OliveTin versions prior to 3000.11.2 **Description** OliveTin provides access to predefined shell commands through a web interface. When the `saveLogs` feature is enabled, OliveTin persists execution log entries to disk. The filename for these logs is constructed using the `UniqueTrackingId` field from the `StartAction` API request. This value is not properly validated or sanitized, allowing an attacker to use directory traversal sequences, such as `../../../`, to write files to arbitrary locations on the filesystem. The `StartAction` API endpoint accepts the `UniqueTrackingId` variable without validation. **Recommendations** Update to version 3000.11.2 or later.

**Name of the Vulnerable Software and Affected Versions** pypdf versions prior to 6.8.0 **Description** pypdf is a free and open-source pure-python PDF library. A crafted PDF file can cause excessive memory usage when parsed, specifically when processing a content stream with a large `/Length` value, irrespective of the actual data length within the stream. **Recommendations** Update to version 6.8.0 or later.