Ik0Z

**Name of the Vulnerable Software and Affected Versions** ERPNext versions prior to 15.101.1 ERPNext versions prior to 16.10.0 **Description** An improper limitation of a pathname to a restricted directory, known as path traversal, allows an authenticated adjacent attacker to read arbitrary files via an endpoint. Path traversal is a security gap where an attacker can access files and directories that are stored outside the intended folder. **Recommendations** Update to version 15.101.1. Update to version 16.10.0.

**Name of the Vulnerable Software and Affected Versions** ERPNext versions prior to 15.106.0 ERPNext versions prior to 16.16.0 **Description** A malicious user can send a crafted request to an endpoint, causing the server to make an HTTP call to a service chosen by the attacker. This is a Server-Side Request Forgery (SSRF), where the server is coerced into making requests to an unintended location. **Recommendations** Update to version 15.106.0. Update to version 16.16.0.

**Name of the Vulnerable Software and Affected Versions** Open edX Platform (affected versions not specified) **Description** The HTML sanitizer function `clean thread html body()` used for discussion notification emails fails to remove `<style>` tags from user-generated discussion post content. Because this content is rendered using Django's `|safe` template filter in email notification templates, an enrolled student can inject arbitrary CSS into emails sent to other users. This can lead to content spoofing, phishing attacks, and email tracking, which may disclose IP addresses. **Recommendations** Apply the fix provided in commit cddc25cd791bb78f76833896e4778f668861df12.

**Name of the Vulnerable Software and Affected Versions** Open edX Platform (affected versions not specified) **Description** The 'sync provider data' endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL through the `metadata url` POST parameter. This URL is processed by the `fetch metadata xml()` function using `requests.get()` without URL validation, IP filtering, or scheme enforcement. This allows an attacker with Enterprise Admin privileges to force the server to make HTTP requests to internal network services, cloud metadata endpoints, or other destinations controlled by the attacker. **Recommendations** Apply the fixes provided in commits 6fda1f120ff5a590d120ae1180185525f399c6d0 and 70a56246dd9c9df57c596e64bdd8a11b1d9da054.

**Name of the Vulnerable Software and Affected Versions** Open edx Enterprise Service versions 7.0.2 through 7.0.4 **Description** An authenticated user with the Enterprise Admin role can trigger a server-side HTTP request. By using the 'SAMLProviderConfigViewSet' PATCH endpoint, a user can set the `metadata source` variable in `SAMLProviderConfig` to an arbitrary URL. Subsequently, calling the 'sync provider data' endpoint in 'SAMLProviderDataViewSet' triggers the `fetch metadata xml()` function, which passes the URL to `requests.get()` without scheme enforcement, IP filtering, or timeouts. This allows for Server-Side Request Forgery (SSRF), which could be used to steal cloud credentials from instance metadata services, scan internal networks, or access internal APIs. **Recommendations** Update Open edx Enterprise Service to version 7.0.5. As a temporary workaround, restrict network-level egress filtering to block outbound connections from the server to 169.254.0.0/16 and RFC 1918 private IP ranges.

**Name of the Vulnerable Software and Affected Versions** Open edX Platform (affected versions not specified) **Description** The Open edX Platform allows for the creation and delivery of online learning content. The `view survey` API endpoint is susceptible to an open redirect issue due to the lack of validation for the `redirect url` GET parameter. Providing a non-existent survey name results in an unvalidated HTTP 302 redirect to a user-controlled URL. This same unvalidated URL is also included in a hidden form field and returned in a JSON response, where client-side JavaScript then redirects the user to that URL. This can lead to phishing and credential theft attacks against authenticated users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.1 **Description** phpMyFAQ is susceptible to arbitrary file deletion due to missing path traversal validation and CSRF token verification in the MediaBrowserController::index() method. Specifically, when the `fileRemove` action is triggered, the `name` parameter, received via a GET request, is concatenated with the base upload directory without proper sanitization. The `FILTER SANITIZE SPECIAL CHARS` filter is insufficient to prevent directory traversal sequences like `../`. The absence of CSRF token validation further exacerbates the issue, allowing attackers to exploit it via Cross-Site Request Forgery attacks. The vulnerable file is `phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/MediaBrowserController.php`. The API endpoint ''/admin/api/media-browser'' is affected, and the vulnerable parameter is `name`. Exploitation can lead to server compromise, data loss, and security bypass by deleting critical files such as the database configuration file or `.htaccess`. The vulnerability can be exploited through direct requests with a valid admin session or via CSRF attacks. **Recommendations** Update phpMyFAQ to version 4.1.1 or later. Implement path traversal validation using `basename()` and `realpath()` to ensure the target path remains within the intended directory. Add CSRF protection by verifying CSRF tokens before processing the `fileRemove` action.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.1 **Description** phpMyFAQ is susceptible to a stored cross-site scripting (XSS) issue due to a bypass in the regular expression used for sanitizing FAQ content within the `Filter::removeAttributes()` function. The regex only matches attributes with double-quoted values, failing to identify and remove attributes using single quotes or no quotes. This allows an attacker to inject malicious code, such as JavaScript, into FAQ content. The vulnerability exists because the sanitization pipeline first encodes special characters, then decodes them, and finally attempts to remove dangerous HTML attributes using a flawed regular expression. The affected file is `phpmyfaq/src/phpMyFAQ/Filter.php` at line 174. The XSS payload is rendered on the public FAQ page, impacting all users, including unauthenticated visitors. Exploitation requires administrative privileges to create or modify FAQ content, but the impact affects all viewers of the compromised FAQ. Potential impacts include session hijacking, phishing, worm propagation, and malware distribution. **Recommendations** Versions prior to 4.1.1 should be updated to version 4.1.1 or later.