Lukasz-Rybak

**Name of the Vulnerable Software and Affected Versions** PlantUML Macro versions prior to 2.4.1 **Description** PlantUML Macro, used for rendering UML diagrams from textual schemes, contains a Server-Side Request Forgery (SSRF) flaw. The application fails to validate the URL provided through the `server` parameter, allowing an attacker to specify an internal IP address or a malicious external URL. Consequently, the XWiki server attempts to connect to the supplied URL to render the diagram. **Recommendations** Update to version 2.4.1.

**Name of the Vulnerable Software and Affected Versions** Dolibarr versions prior to 23.0.0 **Description** Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. An authenticated administrator can achieve remote code execution as the web server user by injecting arbitrary OS commands into the `MAIN ODT AS PDF` configuration constant. This occurs during the ODT to PDF conversion process in 'odf.php', where the constant is concatenated directly into a shell command passed to the `exec()` function without proper sanitization. Approximately 56.8K services are estimated to be affected worldwide. **Recommendations** Update to version 23.0.0. As a temporary workaround, restrict administrative access to the configuration settings for the `MAIN ODT AS PDF` constant to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** October versions prior to 3.7.13 October versions 4.0.0 through 4.1.4 **Description** A sandbox bypass exists in the optional Twig safe mode feature `CMS SAFE MODE`. Certain methods on the `collect()` helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. This issue only affects installations where `CMS SAFE MODE` is enabled, which is disabled by default, and requires authenticated backend access with CMS template editing permissions. **Recommendations** Update versions prior to 3.7.13 to 3.7.13. Update versions 4.0.0 through 4.1.4 to 4.1.5. Disable `CMS SAFE MODE` if untrusted template editing is not required. Restrict CMS template editing permissions to fully trusted administrators only.

**Name of the Vulnerable Software and Affected Versions** OpenSTAManager versions prior to 2.9.9 **Description** OpenSTAManager is a management software for technical assistance and invoicing. The application does not properly sanitize user-supplied input from the `righe` GET parameter before reflecting it in HTML output. Specifically, the `$ GET['righe']` parameter is directly echoed into the HTML value attribute without sanitization, potentially allowing an attacker to inject arbitrary HTML or JavaScript. This is a Reflected Cross-Site Scripting (XSS) issue. **Recommendations** Versions prior to 2.9.9 should be updated.

**Name of the Vulnerable Software and Affected Versions** TypiCMS versions prior to 16.1.7 **Description** TypiCMS is a content management system built on the Laravel framework. A stored cross-site scripting (XSS) issue exists in the file upload functionality. The application permits users with file upload privileges to upload SVG files, but it does not properly sanitize the file content despite MIME type validation. An attacker can upload a malicious SVG file containing JavaScript code. When another user views the file, the script executes in their browser, potentially compromising their session. The vulnerability is not mitigated by a 500 error that can occur if the SVG file lacks a `viewBox` attribute, as attackers can include a valid `viewBox` attribute in their payload. **Recommendations** Update TypiCMS to version 16.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions through 1.6.3 **Description** InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal issue exists in the `get file` method of the `Guest` module's `Get` controller. This allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This can lead to the disclosure of sensitive information, including configuration files with database credentials. The vulnerable method is `get file` within the `Guest` module's `Get` controller. The input filename is the vulnerable parameter. **Recommendations** Update InvoicePlane to version 1.6.4 or later.

**Name of the Vulnerable Software and Affected Versions** OpenSTAManager versions 2.9.8 and earlier **Description** OpenSTAManager contains a critical Error-Based SQL Injection issue within the Scadenzario (Payment Schedule) module’s bulk operations handler. The application does not properly validate that elements within the `id records` array are integers before utilizing them in an SQL IN() clause. This allows attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. The vulnerable parameter is `id records[]` and is accessible through the `/actions.php?id module=18` API endpoint. The vulnerability stems from the application's failure to validate input types, specifically allowing non-integer values within the `id records` array to be directly concatenated into an SQL query without proper sanitization. This enables attackers to manipulate the SQL query and extract data, including user credentials, customer Personally Identifiable Information (PII), and financial records. **Recommendations** Versions prior to 2.9.8 should implement type validation on the `id records` array. Specifically, use `array map('intval', $id records)` to convert all array elements to integers and `array filter` to remove any non-positive IDs before using them in the SQL query.

**Name of the Vulnerable Software and Affected Versions** OpenSTAManager versions 2.9.8 and earlier **Description** OpenSTAManager contains a critical Error-Based SQL Injection issue within the Prima Nota (Journal Entry) module's add.php file. The application does not validate that comma-separated values received through the `id documenti` GET parameter are integers before utilizing them in SQL IN() clauses. This allows attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. The vulnerable parameter is `id documenti` and the affected API endpoint is `/modules/primanota/add.php`. The vulnerability resides in lines 63-67 and 306 of the add.php file. The application retrieves user-controlled URL parameters using the `get()` function, splits them by comma, and then concatenates the array elements directly into a SQL query without any type validation. This enables attackers to inject SQL code by providing a malicious payload to the `id documenti` parameter. **Recommendations** Versions prior to 2.9.8 should implement type validation for the `id documenti` parameter. Specifically, use `array map('intval', $id documenti)` to ensure all array elements are integers and `array filter($id documenti, fn($id) => $id > 0)` to remove zero or negative IDs.

**Name of the Vulnerable Software and Affected Versions** OpenSTAManager versions 2.9.8 and earlier **Description** OpenSTAManager contains a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application does not properly sanitize the `idarticolo` parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. The vulnerability exists in the `/ajax complete.php` file, specifically in the `/modules/articoli/ajax/complete.php` module. The vulnerable parameter is `idarticolo` within the GET request to the `/ajax complete.php?op=getprezzi` endpoint. The vulnerability allows authenticated attackers to extract complete database contents, including user credentials, customer data, and financial records. A proof-of-concept (PoC) demonstrates the extraction of the database name, admin username, and password hash. The root cause is the inconsistent use of the `prepare()` function, which is used to sanitize the `idanagrafica` parameter but not the `idarticolo` parameter. **Recommendations** Apply the fix to the `/modules/articoli/ajax/complete.php` file. Replace the vulnerable code with the corrected version, ensuring the `idarticolo` parameter is properly sanitized using the `prepare()` function before being used in SQL queries.

**Name of the Vulnerable Software and Affected Versions** OpenSTAManager versions 2.9.8 and earlier **Description** OpenSTAManager contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application does not properly sanitize the `term` parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. The vulnerability affects multiple search modules and has amplified execution, meaning a single malicious request can trigger SQL injection across all vulnerable modules simultaneously, increasing the delay and potentially causing server issues. The vulnerable parameter is `term` and is used in the `/ajax search.php` endpoint. Affected modules include Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, and Interventi. The vulnerability allows for complete database exfiltration, including customer Personally Identifiable Information (PII), financial records, and business secrets, as well as the extraction of password hashes. **Recommendations** Replace all instances of direct `$term` concatenation with `prepare()` in the following files: - `/modules/articoli/ajax/search.php` - Line 51 - `/modules/ordini/ajax/search.php` - Lines 43, 47, 79 - `/modules/ddt/ajax/search.php` - Lines 43, 47, 83 - `/modules/fatture/ajax/search.php` - Lines 45, 49, 85 - `/modules/preventivi/ajax/search.php` - Lines 45, 49, 83 - `/modules/anagrafiche/ajax/search.php` - Lines 62, 107, 162 - `/modules/impianti/ajax/search.php` - Line 46

**Name of the Vulnerable Software and Affected Versions** FacturaScripts versions prior to 2025.81 **Description** FacturaScripts, an open-source enterprise resource planning and accounting software, contains a critical SQL injection issue in its REST API. Authenticated API users can execute arbitrary SQL queries through the `sort` parameter. The issue resides in the `getOrderBy()` method of the `ModelClass`, where user-supplied sorting parameters are directly incorporated into the SQL ORDER BY clause without proper validation or sanitization. This impacts all API endpoints that support sorting functionality. **Recommendations** Update to version 2025.81 or later.

**Name of the Vulnerable Software and Affected Versions** FacturaScripts versions prior to 2025.81 **Description** FacturaScripts is enterprise resource planning and accounting software. Versions prior to 2025.81 contain a critical SQL injection issue in the autocomplete functionality. Authenticated attackers can extract sensitive data from the database, including user credentials, configuration settings, and business data. The issue is located in the `CodeModel::all()` method, where user-supplied parameters are directly concatenated into SQL queries without proper sanitization or parameterized binding. **Recommendations** Update to version 2025.81 or later.

**Name of the Vulnerable Software and Affected Versions** EGroupware versions prior to 23.1.20260113 EGroupware versions prior to 26.0.20260113 **Description** EGroupware is a web-based groupware server written in PHP. A SQL Injection issue exists in the core components of EGroupware, specifically in the `Nextmatch` filter processing. Authenticated attackers can inject arbitrary SQL commands into the `WHERE` clause of database queries. This is possible due to a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is int()` security check. The vulnerable component is the `Nextmatch` filter. **Recommendations** Update EGroupware to version 23.1.20260113 or later. Update EGroupware to version 26.0.20260113 or later.

**Name of the Vulnerable Software and Affected Versions** Saleor versions 3.0.0 through 3.20.107 Saleor versions 3.21.0 through 3.21.42 Saleor versions 3.22.0 through 3.22.26 **Description** Saleor, an e-commerce platform, permitted authenticated staff users or Apps to upload arbitrary files, including potentially malicious HTML and SVG files containing Javascript. If media files are hosted on the same domain as the dashboard, these files could be served without restrictions, leading to the execution of malicious scripts within the user's browser. A malicious staff member could potentially inject scripts to target other staff members, potentially compromising their access and refresh tokens. The issue is present when media files are not served with a `Content-Disposition: attachment` header. Saleor Cloud users are not affected. The vulnerable API endpoint is not specified. The vulnerable parameter is not specified. The vulnerable function is not specified. **Recommendations** Saleor versions 3.0.0 through 3.20.107: Upgrade to version 3.20.108 or later. Saleor versions 3.21.0 through 3.21.42: Upgrade to version 3.21.43 or later. Saleor versions 3.22.0 through 3.22.26: Upgrade to version 3.22.27 or later. Configure servers hosting media files to return the `Content-Disposition: attachment` header. Prevent servers from serving HTML and SVG files. Implement a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`.

**Name of the Vulnerable Software and Affected Versions** Saleor versions 3.0.0 through 3.20.107 Saleor versions 3.21.0 through 3.21.42 Saleor versions 3.22.0 through 3.22.26 **Description** Saleor, an e-commerce platform, permitted modification of rich text fields with HTML without backend sanitization. This allowed malicious actors to execute stored cross-site scripting (XSS) attacks on both dashboards and storefronts. Specifically, malicious staff members could inject scripts to target other staff members, potentially compromising their access and refresh tokens. The issue impacts the ability to properly handle HTML input in rich text fields, potentially leading to unauthorized code execution within the platform. **Recommendations** Upgrade to Saleor version 3.20.108 or later. Upgrade to Saleor version 3.21.43 or later. Upgrade to Saleor version 3.22.27 or later. As a temporary workaround, implement a client-side HTML cleaner.

**Name of the Vulnerable Software and Affected Versions** Shopware versions 6.7.0.0 through 6.7.6.0 **Description** The software contains a flaw due to a regression of a previous fix, allowing the execution of unchecked PHP Closures within the `map()` override function. This could potentially lead to remote code execution. The issue stems from an insufficient allow list check for PHP Closures used in the `map()` function. **Recommendations** Update to version 6.7.6.1 or later. Install the security plugin.

**Name of the Vulnerable Software and Affected Versions** REDAXO versions prior to 5.20.2 **Description** REDAXO is a PHP-based content management system. Authenticated users with backup permissions can read arbitrary files within the webroot due to a path traversal issue in the Backup addon’s file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against a permitted directory allowlist. An attacker can use relative paths containing `../` sequences, or even absolute paths within the document root, to include any readable file in a generated `.tar.gz` archive. The `EXPDIR` parameter is vulnerable to path traversal. **Recommendations** Versions prior to 5.20.2 should be updated to version 5.20.2 or later.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions prior to 6.5.3 **Description** ChurchCRM is an open-source church management system with a SQL Injection issue present in a legacy endpoint. The vulnerability exists in the `/Reports/ConfirmReportEmail.php` endpoint and is exploitable through the `familyId` parameter. Any authenticated user, even with limited permissions, can trigger the SQL injection. The vulnerable code, though removed from the user interface, remains accessible directly via URL, representing a case of 'dead but reachable code'. **Recommendations** Update to version 6.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions prior to 6.5.3 **Description** ChurchCRM is an open-source church management system. A flaw exists where an authenticated user with specific permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent Cross-Site Scripting (XSS) payload into an administrator's profile. This payload executes when an administrator views their profile, potentially allowing an attacker to hijack the administrator’s session and perform administrative actions, leading to a full account takeover. The issue is a result of an Insecure Direct Object Reference (IDOR) allowing unauthorized profile viewing, combined with a Broken Access Control vulnerability permitting modification of user record properties. **Recommendations** Versions prior to 6.5.3 should be updated to version 6.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions 6.4.0 and prior **Description** ChurchCRM is an open-source church management system affected by a stored cross-site scripting (XSS) issue. A user with the “Manage Groups” permission can inject persistent JavaScript into group role names. This malicious code is stored in the database and executed when any user views pages displaying that role, such as `GroupView.php` or `PersonView.php`. This can lead to full session hijacking and account takeover. The vulnerability impacts the display of group roles, potentially affecting any page that renders this information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.