K

**Name of the Vulnerable Software and Affected Versions** Apache Storm versions prior to 2.8.7 **Description** When TLS transport is enabled without requiring client certificate authentication, the `TlsTransportPlugin` assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if verification fails. This occurs because the `SSLPeerUnverifiedException` is caught and suppressed instead of rejecting the connection. This fail-open behavior allows unauthenticated clients to establish a TLS connection and receive a valid principal identity. If the configured authorizer, such as `SimpleACLAuthorizer`, does not explicitly deny access to CN=ANONYMOUS, it may lead to unauthorized access to services. This condition is only logged at the debug level, which limits visibility in production environments. **Recommendations** Update to version 2.8.7. Enable mandatory client certificate authentication by setting `nimbus.thrift.tls.client.auth.required` to `true`. Ensure authorization rules explicitly deny access to CN=ANONYMOUS. Review all ACL configurations for implicit default-allow behavior.

**Name of the Vulnerable Software and Affected Versions** Apache Storm versions 2.6.3 through 2.8.6 **Description** Improper certificate validation occurs in the Prometheus Reporter when the `storm.daemon.metrics.reporter.plugin.prometheus.skip tls validation` configuration is enabled. The `PrometheusPreparableReporter` class utilizes an `INSECURE TRUST MANAGER` that accepts all SSL certificates without validation via empty `checkClientTrusted` and `checkServerTrusted` methods. When the aforementioned configuration is active, the `INSECURE CONNECTION FACTORY` executes `SSLContext.setDefault(sslContext)`, which replaces the default SSL context for the entire Java Virtual Machine (JVM) instead of limiting the insecure context to the Prometheus connection. Consequently, all HTTPS communications within the process, including ZooKeeper, Thrift, Netty, and UI connections, trust all certificates, including self-signed or attacker-generated ones, allowing for man-in-the-middle interception of administrative credentials, topology submissions, cluster state, and tuple data. **Recommendations** Upgrade to version 2.8.7. Remove the `storm.daemon.metrics.reporter.plugin.prometheus.skip tls validation: true` setting from the `storm.yaml` configuration and configure a proper truststore containing the PushGateway's certificate.

**Name of the Vulnerable Software and Affected Versions** Apache Storm versions prior to 2.8.6 **Description** The Storm UI visualization component interpolates topology metadata, such as component IDs, stream names, and grouping values, directly into HTML via innerHTML in the `parseNode()` and `parseEdge()` functions without sanitization. An authenticated user with topology submission rights can craft a topology containing malicious HTML or JavaScript in component identifiers. This payload is transmitted through Nimbus, Thrift, and the Visualization API to the vis.js tooltip rendering, leading to stored cross-site scripting. In multi-tenant deployments, this can allow privilege escalation if the UI is accessed by operators or administrators. **Recommendations** Upgrade to version 2.8.6. As a temporary workaround, monkey-patch the `parseNode()` and `parseEdge()` functions in the visualization JavaScript file to HTML-escape all API-supplied values, including `nodeId`, `:capacity`, `:latency`, `:component`, `:stream`, and `:grouping` before interpolation into tooltip HTML strings. Restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.

**Name of the Vulnerable Software and Affected Versions** Vue (affected versions not specified) **Description** The issue is related to an improper regular expression in Vue's `parseHTML` function, which can lead to a potential regular expression denial of service vulnerability. This flaw, known as a ReDoS (Regular expression Denial of Service), allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption. In a Vue client-side application, this vulnerability can be exploited by creating a new Vue instance with a template string that includes a `<script>` tag but closes it incorrectly. The time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance. **Recommendations** To mitigate this issue, consider disabling the `parseHTML` function in the `html-parser.ts` file until a patch is available. Restrict access to the `html-parser.ts` file to minimize the risk of exploitation. Avoid using the `parseHTML` function with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bootstrap (affected versions not specified) **Description** A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the `data-slide` and `data-slide-to` attributes can be exploited through the `href` attribute of an <a> tag due to inadequate sanitization. This could potentially enable attackers to execute arbitrary JavaScript within the victim's browser. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bootstrap (affected versions not specified) **Description** A security issue has been discovered that could enable Cross-Site Scripting (XSS) attacks. The issue is associated with the `data-loading-text` attribute within the button plugin. This can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bootstrap (affected versions not specified) **Description** A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the `data-slide` and `data-slide-to` attributes can be exploited through the href attribute of an `<a>` tag due to inadequate sanitization. This could potentially enable attackers to execute arbitrary JavaScript within the victim's browser. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Calendar01 version 1.0.0 Calendar02 version 1.0.0 PKOBO-News01 versions 1.0.3 and earlier PKOBO-vote01 versions 1.0.1 and earlier Telop01 version 1.0.0 Gallery01 versions 1.0.3 and earlier CalendarForm01 versions 1.0.3 and earlier Link01 version 1.0.0 **Description** The issue allows remote attackers to bypass authentication and log in to the product with administrative privileges. The exact vectors used for the attack are not specified. **Recommendations** For Calendar01 version 1.0.0, update to a version that addresses the authentication bypass issue. For Calendar02 version 1.0.0, update to a version that addresses the authentication bypass issue. For PKOBO-News01 versions 1.0.3 and earlier, update to a version later than 1.0.3. For PKOBO-vote01 versions 1.0.1 and earlier, update to a version later than 1.0.1. For Telop01 version 1.0.0, update to a version that addresses the authentication bypass issue. For Gallery01 versions 1.0.3 and earlier, update to a version later than 1.0.3. For CalendarForm01 versions 1.0.3 and earlier, update to a version later than 1.0.3. For Link01 version 1.0.0, update to a version that addresses the authentication bypass issue.