Jorianwoltjer

Name of the Vulnerable Software and Affected Versions hoppscotch versions prior to 2026.3.0 Description hoppscotch, an open source API development ecosystem, contains a stored Cross-Site Scripting (XSS) issue that could potentially lead to Cross-Site Request Forgery (CSRF). Recommendations Update to version 2026.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions 1.8.208 and below **Description** FreeScout, a help desk and shared inbox built with PHP’s Laravel framework, is susceptible to a flaw where attackers can upload and execute malicious JavaScript through specially crafted SVG files. This is achieved by exploiting bypasses in the attachment view logic and SVG sanitizer. The application allows files with a '.png' extension and a 'image/svg+xml' content type, and a fallback mechanism for invalid XML leads to inadequate sanitization. By using a filename with an allowed extension and a Content-Type of image/svg+xml, an attacker can bypass security checks and cause the server to render the malicious SVG inline. Any authenticated user can create a URL that, when visited by another user or administrator, can execute arbitrary actions on their behalf. The API endpoint for file uploads is vulnerable, specifically when handling the `filename` and `Content-Type` parameters. The `renderFile()` function is also implicated in the rendering of the malicious SVG. **Recommendations** FreeScout versions 1.8.208 and below should be updated to version 1.8.209 or later.

**Name of the Vulnerable Software and Affected Versions** AliasVault versions 0.25.3 and lower **Description** AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) issue exists in the email rendering feature of the AliasVault Web Client. When viewing received emails on an alias, the HTML content is rendered in an iframe using the `srcdoc` attribute, which lacks origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When a victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. The vulnerability is triggered when viewing emails containing malicious JavaScript code. The vulnerable component renders HTML content within an iframe using `srcdoc`. **Recommendations** Update to version 0.26.0 or later.

**Name of the Vulnerable Software and Affected Versions** Storybook versions prior to 7.6.23 Storybook versions prior to 8.6.17 Storybook versions prior to 9.1.19 Storybook versions prior to 10.2.10 **Description** Storybook’s dev server WebSocket functionality, used for creating and updating stories, is susceptible to WebSocket hijacking. This issue impacts the dev server only and does not affect production builds. Exploitation requires a developer to visit a malicious website while running the local Storybook dev server. The WebSocket connection lacks origin validation, allowing a malicious site to send WebSocket messages to the local instance without user interaction. If the Storybook dev server is publicly exposed, an unauthenticated attacker can directly send WebSocket messages. The WebSocket message handlers for creating and saving stories are vulnerable to injection through unsanitized input in the `componentFilePath` field, potentially leading to persistent Cross-Site Scripting (XSS) or Remote Code Execution (RCE). **Recommendations** Update Storybook to version 7.6.23 or later. Update Storybook to version 8.6.17 or later. Update Storybook to version 9.1.19 or later. Update Storybook to version 10.2.10 or later.

**Name of the Vulnerable Software and Affected Versions** Langfuse versions 3.146.0 and below **Description** Langfuse is an open source large language model engineering platform. The `/api/public/slack/install` endpoint initiates Slack OAuth using a `projectId` provided by the client without authentication or authorization. The `projectId` is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. **Recommendations** Update to version 3.147.0 or later.

**Name of the Vulnerable Software and Affected Versions** PwnDoc versions prior to 1.2.0 **Description** The issue concerns the backup restore functionality, which allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update`, and `templates:update` permissions, which are limited to administrators by default, can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. **Recommendations** For versions prior to 1.2.0, update to version 1.2.0 to resolve the issue. As a temporary workaround, consider restricting the `backups:create`, `backups:update`, and `templates:update` permissions to limit the potential for exploitation. Additionally, restrict access to the template update functionality to minimize the risk of arbitrary content being written to the filesystem.

**Name of the Vulnerable Software and Affected Versions** PwnDoc versions prior to 1.2.0 **Description** The issue concerns the backup restore functionality, which is vulnerable to path traversal in the TAR entry's name. This allows an attacker to overwrite any file on the system with their content, potentially leading to Remote Code Execution as an administrator. The vulnerability can be exploited by overwriting an included `.js` file and restarting the container. It affects users with the `backups:create` and `backups:update` permissions, which by default are only administrators. **Recommendations** For versions prior to 1.2.0, update to version 1.2.0 to resolve the issue. As a temporary workaround, consider restricting the `backups:create` and `backups:update` permissions to prevent potential exploitation. Additionally, avoid using the backup restore functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** PwnDoc versions prior to the version that includes commit 14acb704891245bf1703ce6296d62112e85aa995 **Description** PwnDoc is a penetration test report generator that lacks CSRF protection, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. **Recommendations** For versions prior to the version that includes commit 14acb704891245bf1703ce6296d62112e85aa995, update to a version that includes this commit to resolve the issue. As a temporary workaround, consider implementing additional security measures to protect against CSRF attacks, such as validating request origins or using a CSRF token.

**Name of the Vulnerable Software and Affected Versions** PenDoc versions prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 **Description** PenDoc is a penetration testing reporting application. An attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. By default, only users with the `admin` role are able to create or update templates. An attacker who can control the contents of the template document is able to execute arbitrary code on the system. **Recommendations** For versions prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, update to a version that includes the commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 to resolve the issue. As a temporary workaround, consider restricting access to template creation and update functionality to minimize the risk of exploitation. Avoid using malicious docx templates until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Angular Expressions versions prior to 1.4.3 Description: The issue is related to the incorrect management of code generation in the Angular Expressions module for the Angular.JS web framework. An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex payload, one can get full access to arbitrary code execution on the system. Recommendations: For versions prior to 1.4.3, update to version 1.4.3 to resolve the issue. As a temporary workaround, consider disabling access to ` proto ` globally. Alternatively, make sure to use the compiled function with just one argument, for example: `const result = expressions.compile(" proto .constructor")({});`, although this will limit the feature of locals if needed.

**Name of the Vulnerable Software and Affected Versions** PwnDoc versions prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 **Description** The issue is related to the `res.download()` function in the `template.js` script, which is part of the PwnDoc tool for automating report documentation. It allows an authenticated user who can update and download templates to inject path traversal (`../`) sequences into the file extension property, enabling them to read arbitrary files on the system. This can be exploited by a remote attacker. **Recommendations** For versions prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, update to a version that includes the patch from commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 to resolve the issue. As a temporary workaround, consider restricting access to the `template.js` script and limiting the ability to update and download templates to trusted users only. Avoid using the file extension property in the `res.download()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** lxml html clean versions prior to 0.4.0 **Description** The HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>`, and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml html clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml html clean in default configuration for sanitizing untrusted HTML content. **Recommendations** For versions prior to 0.4.0, upgrade to lxml 0.4.0 to address this issue. As a temporary mitigation, configure lxml html clean with the following settings: - Use `remove tags` to specify tags to remove, moving their content to their parents' tags. - Use `kill tags` to specify tags to be removed completely. - Use `allow tags` to restrict the set of permissible tags, excluding context-switching tags like `<svg>`, `<math>`, and `<noscript>`.