Isacaya

**Name of the Vulnerable Software and Affected Versions** alf.io versions prior to 2.0-M5 **Description** The issue is related to a race condition in the promo code system of alf.io, an open-source ticket reservation system for events. This condition allows a user to bypass the limit on the number of promo codes and use a discount coupon multiple times. The time gap between checking the number of codes and restricting their use enables a threat actor to exploit this vulnerability. **Recommendations** For versions prior to 2.0-M5, update to version 2.0-M5 to resolve the issue. As a temporary workaround, consider implementing additional checks to minimize the time gap between verifying and restricting promo code usage. Restrict access to the promo code system to minimize the risk of exploitation until the update is applied.

**Name of the Vulnerable Software and Affected Versions** DecaLog versions prior to 3.9.0 **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for potential exploitation by injecting malicious SQL code. **Recommendations** For versions prior to 3.9.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Site Reviews versions n/a through 6.11.6 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Stored XSS. This means that an attacker can inject malicious scripts into the website, which can then be executed by other users. **Recommendations** For versions n/a through 6.11.6, update to a version later than 6.11.6 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Avoid using potentially vulnerable features in Site Reviews until the issue is resolved. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Label Studio versions prior to 1.11.0 **Description** The issue arises from improper sanitization of data imported via the file upload feature, which is then rendered within a `Choices` or `Labels` tag, resulting in an XSS vulnerability. To exploit this, an attacker needs permission to use the "data import" function. This vulnerability can lead to malicious scripts being injected into the code. When combined with other vulnerabilities, such as CSRF, it can cause greater damage, potentially leading to further attacks, especially those linked to social engineering. **Recommendations** For Label Studio versions prior to 1.11.0, update to version 1.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the file upload feature to minimize the risk of exploitation. Additionally, avoid using the `html` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Grafana JSON datasource plugin (affected versions not specified) **Description** The JSON datasource plugin for Grafana allows retrieving and processing JSON data from a remote endpoint. Due to inadequate sanitization of the dashboard-supplied `path` parameter, it is possible to include path traversal characters (`../`) and send requests to paths outside the configured sub-path. This means an editor can create a dashboard that issues queries with path traversal characters, causing the datasource to query arbitrary subpaths on the configured domain. In rare cases where the plugin is configured to point back at the Grafana instance itself, this issue can lead to privilege escalation as an administrator browsing a maliciously configured panel could be compelled to make requests to Grafana administrative API endpoints with their credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pyLoad versions prior to the version with commit fe94451 **Description** The issue is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad validates URLs via the `get redirect url` function and the `is safe url` function when redirecting users at login. However, a lack of validation can redirect the user to an arbitrary domain. The `urlparse` function in the urllib library recognizes improper URLs as relative paths, which can be converted to absolute URLs due to URL normalization. This vulnerability can be used by an attacker to redirect users to malicious websites for phishing and similar attacks. **Recommendations** For versions prior to the version with commit fe94451, update to a version that includes the patch with commit fe94451 to resolve the issue. As a temporary workaround, consider restricting the use of the `get redirect url` function and the `is safe url` function to minimize the risk of exploitation. Avoid using the `next` variable in the affected login functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Label Studio versions prior to 1.11.0 **Description** The issue affects Label Studio's SSRF protections, which can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a DNS rebinding attack. The vulnerability poses a significant risk in cloud environments, as it can be used to access internal web servers and partially compromise the confidentiality of those internal servers. **Recommendations** For versions prior to 1.11.0, update to version 1.11.0 or later to resolve the issue. As a temporary workaround, consider validating the destination IP address before sending the request to ensure it is not in the deny list. Restrict access to internal cloud API IP ranges to minimize the risk of compromising cloud credentials.

**Name of the Vulnerable Software and Affected Versions** TablePress versions prior to 2.2.5 **Description** The issue arises from insufficient filtering of user input for URLs used in external HTTP requests for importing tables. This can lead to sending requests to unintended network locations and receiving responses. In cloud environments like AWS, an attacker could potentially make GET requests to the instance's metadata REST API, leading to exposure of internal data, including credentials, if the instance's configuration is insecure. **Recommendations** For versions prior to 2.2.5, update to version 2.2.5 to resolve the issue. As a temporary workaround, consider restricting user input for table import URLs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Traccar versions prior to 5.11 **Description** Traccar, an open source GPS tracking system, is affected by an unrestricted file upload vulnerability in the File feature. This allows attackers to execute arbitrary code on the server. The issue is more prevalent due to the recommendation to run Traccar web servers as the root user, making it more dangerous as it can write or overwrite files in arbitrary locations. **Recommendations** For versions prior to 5.11, update to version 5.11 to fix the vulnerability. As a temporary workaround, consider restricting access to the File feature until the update is applied.