Kitu232

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.3 **Description** An unauthenticated password reset issue exists in the user password update API endpoint. The application allows the password to be changed immediately upon a match of a valid `username` and `email` pair without requiring token validation, a confirmation link, or proof of mailbox control. This allows attackers to enumerate valid username and email pairs based on the difference in API responses and force immediate password changes for other users, resulting in account disruption and the invalidation of legitimate credentials. The issue is located in the `updatePassword()` function within the `phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php` file. The affected API endpoint is "/api/index.php/user/password/update" using the PUT method, where the `username` and `email` variables are processed. **Recommendations** Update to version 4.1.3. As a temporary workaround, restrict access to the "/api/index.php/user/password/update" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** novaGallery versions prior to 2.1.1 **Description** A path traversal issue in this PHP image gallery allows unauthenticated users to read image files located outside the intended gallery root directory. Path traversal is a flaw that lets an attacker manipulate file paths to access files and directories stored outside the web root folder. **Recommendations** Update to version 2.1.1.

**Name of the Vulnerable Software and Affected Versions** Scoold versions prior to 1.67.0 **Description** Scoold allows the modification of the admins configuration value via the "/api/config/set/admins" endpoint using a forged Bearer token that is accepted as an admin API token. This action writes a target email address to the application configuration file. While the change is not immediate because the `ADMINS` set is loaded at startup, a restart of the application results in the selected user being recognized as an administrator with access to the admin panel, providing a reliable persistence path. **Recommendations** Update to version 1.67.0.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.2 **Description** Insufficient authorization in 'admin-api' routes allows authenticated ordinary users to access administrative endpoints. The system only verifies login status without checking for backend privileges, enabling attackers with valid frontend accounts to access sensitive operational information, such as dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data. **Recommendations** Update to version 4.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Movary versions prior to 0.71.1 **Description** An authenticated user can trigger server-side requests to arbitrary internal targets via the '/settings/jellyfin/server-url-verify' endpoint. The application accepts a user-controlled URL, appends '/system/info/public', and sends an HTTP request using Guzzle. The lack of restrictions on internal hosts, loopback addresses, or private network ranges allows for Server-Side Request Forgery (SSRF), which is a flaw where a server is tricked into making requests to an unintended location. This can be used for internal reconnaissance, including host discovery, port-state probing, and service fingerprinting, and may allow access to internal administrative services or cloud metadata endpoints. **Recommendations** Update to version 0.71.1. As a temporary workaround, restrict access to the '/settings/jellyfin/server-url-verify' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Movary versions prior to 0.71.1 **Description** An authenticated user can escalate their account privileges to administrator. This occurs because the endpoint '/settings/users/{userId}' allows the update of the `isAdmin` variable without performing an administrator authorization check, enabling users to modify their own profile settings to gain administrative access. **Recommendations** Update to version 0.71.1.

**Name of the Vulnerable Software and Affected Versions** Movary versions prior to 0.71.1 **Description** An authenticated user can access user-management endpoints, specifically '/settings/users', to enumerate all users and create a new administrator account. This occurs because route definitions lack admin-only middleware and the controller-level authorization check employs a broken boolean condition, allowing any user with a valid web session cookie to access restricted administrative functionality. **Recommendations** Update to version 0.71.1.