Ktg9

Name of the Vulnerable Software and Affected Versions: PatrOwl versions prior to 1.77 Description: The issue is related to improper privilege management in PatrowlManager, allowing unlogged-in users to download all finding import files. The files are stored under `/media/imports/<owner id>/<tmp file>`, where `owner id` is predictable and `tmp file` follows a predictable format, such as `import <owner id> <time created>`. This predictability enables unauthorized access to the files. Recommendations: Update to version 1.7.7 as soon as possible. As a temporary workaround, consider restricting access to the `/media/imports/` directory until the update is applied. Avoid using predictable filenames for import files until the issue is resolved. There are no known workarounds other than updating to the fixed version.

Name of the Vulnerable Software and Affected Versions: PatrOwl versions prior to 1.7.7 Description: The issue affects PatrOwl, a free and open-source solution for orchestrating Security Operations. In affected versions, PatrowlManager handles upload files in the findings import feature without proper restrictions. This allows for the upload of dangerous file types to the server, potentially leading to XSS attacks and other forms of code injection. Recommendations: For versions prior to 1.7.7, update to version 1.7.7 as soon as possible to resolve the issue. At the moment, there is no information about other workarounds for this issue.