Kevin Stubbings

**Name of the Vulnerable Software and Affected Versions** Kavita versions prior to 0.9.0 **Description** The `ReaderController.GetImage` endpoint is decorated with `[AllowAnonymous]`, which permits unauthenticated access to page images from any chapter in any library. Although the endpoint accepts an `apiKey` parameter, it is not validated. Because entity IDs are sequential integers, an attacker can enumerate all content on the server. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** Kavita versions prior to 0.9.0 **Description** Lack of library-level authorization in the download, size-check, and chapter metadata endpoints allows a low-privileged user to access content from libraries they are not assigned to. By knowing or guessing the `chapterId`, `volumeId`, or `seriesId`, an attacker can download full file contents, query file sizes, and read metadata. The affected endpoints are '/api/Download/volume-size', '/api/Download/chapter-size', '/api/Download/series-size', '/api/Download/volume', '/api/Download/chapter', '/api/Download/series', and '/api/Chapter'. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** Cognita (affected versions not specified) **Description** The issue is related to an insecure CORS configuration in the Cognita backend server, which allows arbitrary websites to send cross-site requests to the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cognita versions (affected versions not specified) **Description** A path traversal issue exists at "/v1/internal/upload-to-local-directory" when the `Local` environment variable is set to true, such as when Cognita is set up using Docker. This allows an attacker to overwrite the `/app/backend/ init .py` file. Because the Docker environment sets up the backend uvicorn server with auto-reload enabled, the overwritten file will automatically be reloaded and executed, enabling remote code execution in the context of the Docker container. **Recommendations** For all affected versions, update to a version that includes the fix from commit a78bd065e05a1b30a53a3386cc02e08c317d2243 to resolve the issue. As a temporary workaround, consider disabling the auto-reload feature of the uvicorn server or restricting access to the "/v1/internal/upload-to-local-directory" endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Rembg versions 2.0.57 and earlier **Description** The issue concerns the CORS middleware setup in Rembg, which is configured to reflect all origins. This allows any website to send cross-site requests to the Rembg server, enabling them to query any API. Furthermore, even if authentication is enabled, the `allow credentials` setting is set to True, which would permit any website to send authenticated cross-site requests. **Recommendations** For Rembg versions 2.0.57 and earlier, update the CORS middleware configuration to only reflect trusted origins and set `allow credentials` to False to prevent unauthorized cross-site requests.

**Name of the Vulnerable Software and Affected Versions** Rembg versions 2.0.57 and earlier **Description** The issue allows an attacker to query the "/api/remove" endpoint to view pictures hosted on the internal network of the Rembg server, potentially leading to Information Disclosure. This is achieved by exploiting the URL query parameter in the endpoint. **Recommendations** For Rembg versions 2.0.57 and earlier, consider disabling access to the "/api/remove" endpoint until a patch is available to prevent potential information disclosure. Restrict access to internal network resources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MouseTooltipTranslator Chrome extension (affected versions not specified) **Description** The MouseTooltipTranslator Chrome extension is susceptible to Server-Side Request Forgery (SSRF) attacks. This occurs because the `pdf.mjs` script utilizes the URL parameter from the current URL to download and display a file to the extension user. Since `pdf.mjs` is imported in `viewer.html` and `viewer.html` is accessible from all URLs, an attacker can manipulate the user's browser into making a request to any arbitrary URL. There have been discussions with the maintainer regarding this issue, and it was decided not to patch it as it would require disabling a major feature of the extension in exchange for mitigating a low-severity issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Home-Gallery.org versions 1.15.0 and earlier **Description** Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. An open CORS policy in app.js may allow an attacker to view the images of home-gallery when it is using the default settings. The express middleware allows any website to make a cross-site request to home-gallery, thus allowing them to read any endpoint on home-gallery. Home-gallery is mostly safe from cross-site requests due to most of its pages requiring JavaScript, and cross-site requests such as fetch() do not render javascript. If an attacker is able to get the path of the preview images which are randomized, an attacker will be able to view such a photo. If any static files or endpoints are introduced in the future that contain sensitive information, they will be accessible to an attacker website. **Recommendations** For versions 1.15.0 and earlier, consider restricting access to the app.js file to minimize the risk of exploitation. As a temporary workaround, consider disabling the express middleware that allows cross-site requests until a patch is available. Avoid using the default settings that allow an open CORS policy. If possible, introduce authentication mechanisms to protect access to sensitive information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Home-Gallery.org versions 1.15.0 and earlier **Description** The default setup of Home-Gallery.org is vulnerable to DNS rebinding due to the lack of TLS and user authentication. An attacker can exploit this by changing the DNS records of their domain to the internal IP address of the Home-Gallery instance, allowing them to extract photos from the gallery. The attack involves the attacker website changing its DNS records to the internal IP address of the Home-Gallery instance, and then reading the response of the web server after the IP address has changed. The response will be from the Home-Gallery instance, not the attacker website, because the IP address has been changed. **Recommendations** For versions 1.15.0 and earlier, consider enabling TLS and user authentication to prevent DNS rebinding attacks. As a temporary workaround, restrict access to the Home-Gallery instance to minimize the risk of exploitation. Avoid using the default setup without proper security configurations until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Habitica versions prior to 5.28.5 **Description** Habitica is an open-source habit-building program. The issue arises from a reflected cross-site scripting vulnerability in the `register` function in `home.vue`, caused by an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, allowing arbitrary JavaScript code to be executed in the context of the victim's session. **Recommendations** For versions prior to 5.28.5, update to version 5.28.5 to resolve the issue. As a temporary workaround, consider restricting access to the `register` function in `home.vue` to minimize the risk of exploitation. Avoid using the `redirectTo` parameter in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Habitica versions prior to 5.28.5 **Description** Habitica is an open-source habit-building program. The issue arises from a reflected cross-site scripting vulnerability due to an incorrect sanitization function in the `register` function within `RegisterLoginReset.vue`. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, potentially giving the attacker control of the victim's account when the victim registers or logs in with a specially crafted link. **Recommendations** For versions prior to 5.28.5, update to version 5.28.5 to resolve the issue. As a temporary workaround, consider restricting access to the `register` function in `RegisterLoginReset.vue` until the patch is applied. Avoid using malicious `redirectTo` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Habitica versions prior to 5.28.5 **Description** Habitica is an open-source habit-building program. The issue concerns reflected cross-site scripting vulnerabilities in the `login` and `social media` functions within `RegisterLoginReset.vue`, caused by an incorrect sanitization function. An attacker can exploit this by specifying a malicious `redirectTo` parameter, potentially giving them control of a victim's account when the victim registers or logs in with a specially crafted link. **Recommendations** For versions prior to 5.28.5, update to version 5.28.5 to resolve the issue. As a temporary workaround, consider restricting access to the `login` and `social media` functions in `RegisterLoginReset.vue` until the update can be applied. Additionally, avoid using the `redirectTo` parameter in affected links until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: PlexRipper versions prior to 0.24.0 Description: PlexRipper's open CORS policy allows attackers to gain sensitive information by getting the user to access the attacker's domain. This enables an attacking website to access the "/api/PlexAccount" endpoint and steal the user's Plex login. Recommendations: For versions prior to 0.24.0, update to version 0.24.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the "/api/PlexAccount" endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Plenti versions prior to 0.7.2 **Description** The issue is related to an arbitrary file write vulnerability. The `/postLocal` endpoint is vulnerable, which may lead to Remote Code Execution when a Plenti user serves their website. **Recommendations** For versions prior to 0.7.2, update to version 0.7.2 to fix the vulnerability. As a temporary workaround, consider restricting access to the `/postLocal` endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Plenti versions prior to 0.7.2 **Description** The issue is related to an arbitrary file deletion vulnerability. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a Plenti user serves their website. This problem may lead to information loss. **Recommendations** For versions prior to 0.7.2, update to version 0.7.2 to fix the vulnerability. As a temporary workaround, consider restricting access to the `/postLocal` endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** smartUp versions 7.2.622.1170 **Description** The issue is a universal cross-site scripting problem that allows another extension to execute arbitrary code in the context of the user’s tab. No known patches exist for this issue. **Recommendations** For smartUp version 7.2.622.1170, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AList versions prior to 3.29.0 **Description** AList, a file list program supporting multiple storages, contains a reflected cross-site scripting issue in the helper.go file. The endpoint "/i/:link name" takes a user-provided value and reflects it back in the response, which returns an application/xml response. This allows for the inclusion of HTML tags via XHTML, leading to a cross-site scripting vulnerability. **Recommendations** For versions prior to 3.29.0, update to version 3.29.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/i/:link name" endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Homepage version 0.9.1 **Description** The default setup of Homepage is vulnerable to DNS rebinding due to the lack of certificate and authentication. An attacker can exploit this by changing the DNS records of their domain to the internal IP address of the Homepage instance, allowing them to extract private information such as API keys and other sensitive data. The attack involves the attacker's website changing its DNS records to the internal IP address of the Homepage instance, and then fetching the attacker's domain, which responds with the Homepage instance's data. **Recommendations** For version 0.9.1, update to a newer version as soon as it becomes available, as the current version is vulnerable to DNS rebinding. As a temporary workaround, consider setting up certificate and authentication for the Homepage instance to prevent DNS rebinding attacks. Restrict access to the Homepage instance to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** memos versions 0.20.1 and earlier **Description** A CORS misconfiguration exists in memos where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. **Recommendations** For memos versions 0.20.1 and earlier, update to version 0.21.0 to fix the CORS misconfiguration vulnerability. As a temporary workaround, consider restricting access to sensitive information and privileged actions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Casdoor versions 1.577.0 and earlier **Description** The issue concerns a reflected XSS vulnerability in the purchase URL created to generate a WechatPay QR code. When a user purchases an item through Casdoor and chooses to pay via Wechat Pay, a QR code with the Wechat Pay link is displayed on the payment page. This page takes a query parameter from the URL `successUrl` and redirects the user to that URL after a successful purchase. An attacker can craft a special URL and send it to the user, potentially leading to an XSS attack after payment has gone through. The vulnerability can be exploited when users share the payment page or are social engineered into sending it to others, as they may not consider the page to contain sensitive information. **Recommendations** For Casdoor versions 1.577.0 and earlier, as a temporary workaround, consider restricting access to the payment page that generates the WechatPay QR code until a patch is available. Avoid using the `successUrl` parameter in the affected URL to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.