Jfoz1010

Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions prior to 0.312.3 Description Strawberry GraphQL WebSocket subscription handlers for both the `graphql-transport-ws` and legacy `graphql-ws` protocols allocate an `asyncio.Task` and associated `Operation` object for every incoming subscribe message without limiting the number of active subscriptions per connection. An unauthenticated attacker can open a WebSocket connection, send a connection init message, and flood subscribe messages with unique IDs. Each message unconditionally spawns a new `asyncio.Task` and async generator, leading to linear memory growth and event loop saturation, potentially causing server degradation or an out-of-memory (OOM) crash. Recommendations Update to Strawberry GraphQL version 0.312.3 or later.

**Name of the Vulnerable Software and Affected Versions** Admidio versions 5.0.0 through 5.0.7 **Description** Admidio relies on `.htaccess` files to restrict direct HTTP access to uploaded documents. The Docker image is configured with `AllowOverride None` in the Apache configuration, causing these `.htaccess` files to be ignored. This allows anyone with knowledge of the file path to access uploaded files without authentication, regardless of role-based permissions set within the user interface. The file path is disclosed in the upload response JSON. The vulnerability bypasses role-based access control at the filesystem level, potentially exposing sensitive organizational documents like contracts, member data, and financial records. The upload API response discloses the direct URL to the uploader, simplifying path enumeration. **Recommendations** Versions 5.0.0 through 5.0.7: Enable `AllowOverride All` in the Apache configuration for the `/opt/app-root/src/adm my files` directory. Versions 5.0.0 through 5.0.7: Move uploaded files to a directory outside the web root and serve them exclusively through Admidio’s download handler (`modules/documents-files.php?mode=download`). Versions 5.0.0 through 5.0.7: Configure an explicit deny rule at the Apache level for the `/opt/app-root/src/adm my files` directory.

**Name of the Vulnerable Software and Affected Versions** Admidio versions 5.0.0 through 5.0.7 **Description** The `delete` mode handler in `mylist function.php` does not validate a CSRF token before permanently deleting list configurations. An attacker can exploit this by luring an authenticated user to a malicious page, which can result in the silent destruction of the user's list configurations, including organization-wide shared lists if the victim has administrator rights. The vulnerable code is located in the `modules/groups-roles/mylist function.php` file, specifically within the `delete` case at lines 159-161, where the `delete()` function is called without CSRF validation. The vulnerability is triggered by a malicious page containing a form that submits a POST request to the ''/modules/groups-roles/mylist function.php'' endpoint with the `mode` parameter set to 'delete' and the `list uuid` parameter set to the target list's UUID. The `column[]` parameter is also required, but any static value is sufficient. The vulnerable parameter is `adm csrf token`, which is not checked during the delete operation. **Recommendations** Apply the `SecurityUtils::validateCsrfToken()` pattern to the `delete` mode handler in `mylist function.php`, similar to the save modes. Move the `column[]` input guard to within the `in array($getMode, ['save', 'save as', 'save temporary'])` block.

**Name of the Vulnerable Software and Affected Versions** APTRS versions prior to 2.0.1 **Description** APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool. A flaw exists in the `edit user` API endpoint ('/api/auth/edituser/<pk>') where a user can elevate their privileges to superuser by submitting a crafted request. Specifically, including `"is superuser": true` in the request body allows unauthorized modification of the `is superuser` attribute. The issue stems from the `CustomUserSerializer` exposing the `is superuser` field as writable without proper validation within the `edit user` view. Successful exploitation grants unrestricted access to all application functionality without re-authentication. The vulnerable parameter is `is superuser`. **Recommendations** Update to version 2.0.1 or later.

Name of the Vulnerable Software and Affected Versions: Nginx Proxy Manager version 2.12.3 Description: A Cross-Origin Resource Sharing (CORS) misconfiguration allows unauthorized domains to access sensitive data, specifically JSON Web Tokens (JWT), due to improper validation of the Origin header. This enables attackers to intercept tokens using a browser script and exfiltrate them to a remote attacker-controlled server, potentially leading to unauthorized actions. Recommendations: Update Nginx Proxy Manager to a version that addresses this misconfiguration.

**Name of the Vulnerable Software and Affected Versions** heimdall version 2.6.3-ls307 **Description** The application does not properly validate user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. This allows for Host Header Injection and Open Redirect attacks. An unauthenticated remote attacker can manipulate these headers to load external resources from attacker-controlled domains and redirect users, potentially enabling phishing, UI redress, and session theft. The issue is due to insufficient validation of untrusted input, impacting the application’s integrity and trustworthiness. **Recommendations** Apply input validation and sanitization to the `X-Forwarded-Host` and `Referer` HTTP headers to prevent manipulation.