Marduc812

**Name of the Vulnerable Software and Affected Versions** Portainer Community Edition versions 2.33.0 through 2.33.7 Portainer Community Edition versions 2.39.0 through 2.39.1 Portainer Community Edition versions prior to 2.41.0 **Description** Portainer includes a security setting to disable bind mounts for non-administrators, intended to prevent regular users from binding host paths into containers via the Portainer-mediated Docker API. However, the enforcement mechanism only inspected the `HostConfig.Binds` array and ignored the equivalent `HostConfig.Mounts` array. Since both fields are interchangeable on the Docker daemon, an authenticated user with container-creation rights can bypass this restriction by submitting a `bind`-typed entry under `HostConfig.Mounts` at the 'POST /containers/create' endpoint. This allows the user to mount any host path into their container, potentially gaining read or write access to the host filesystem as the Docker daemon user (typically `root`). This can lead to the exposure of sensitive files, compromise of other containers on the same host, or full Docker API access if the Docker socket is mounted. **Recommendations** Update Portainer Community Edition versions 2.33.0 through 2.33.7 to 2.33.8. Update Portainer Community Edition versions 2.39.0 through 2.39.1 to 2.39.2. Update Portainer Community Edition versions prior to 2.41.0 to 2.41.0. Revoke container-create rights from non-administrator accounts on affected environments. Segregate tenants by environment to provide stronger control than the bind-mount toggle.

**Name of the Vulnerable Software and Affected Versions** Magic Wormhole versions prior to 0.24.0 **Description** A path traversal issue exists when a receiver uses the `--output <dir>` option and the specified output directory already exists on the system. Path traversal is a flaw that allows an attacker to access files or directories outside the intended folder by using special characters like dot-dot-slash (../). **Recommendations** Update to version 0.24.0. Ensure local target directories specified by `--output` do not already exist.

**Name of the Vulnerable Software and Affected Versions** PhpSpreadsheet versions prior to 1.30.4 PhpSpreadsheet versions 2.0.0 through 2.1.15 PhpSpreadsheet versions 2.2.0 through 2.4.4 PhpSpreadsheet versions 3.3.0 through 3.10.4 PhpSpreadsheet versions 4.0.0 through 5.6.0 **Description** The HTML Writer skips `htmlspecialchars()` output escaping when a cell uses a custom number format containing the `@` text placeholder combined with additional literal text (e.g., `@ "items"`). This occurs because the formatter substitutes the raw cell value into the format string and returns early, bypassing the escaping callback. Consequently, an attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. **Recommendations** Update to version 1.30.4 for versions prior to 1.30.4. Update to version 2.1.16 for versions 2.0.0 through 2.1.15. Update to version 2.4.5 for versions 2.2.0 through 2.4.4. Update to version 3.10.5 for versions 3.3.0 through 3.10.4. Update to version 5.7.0 for versions 4.0.0 through 5.6.0.

Name of the Vulnerable Software and Affected Versions: goshs versions 1.0.7 through 2.0.0-beta.4 Description: goshs is a SimpleHTTPServer written in Go. The SFTP command rename sanitizes only the source path and not the destination, allowing a write outside of the root directory of the SFTP. This can be used for file write, potentially leading to remote code execution by overwriting SSH keys or configuration files. Recommendations: Update to goshs version 2.0.0-beta.4 or later.

**Name of the Vulnerable Software and Affected Versions** goshs versions 1.1.0 through 2.0.0-beta.2 **Description** goshs, a SimpleHTTPServer written in Go, has a flaw where the `Share Token` mechanism can be bypassed. This bypass allows unauthorized access to all goshs functionalities, including code execution. Specifically, the `BasicAuthMiddleware` incorrectly prioritizes the `?token=` parameter check before credential verification. If a valid token exists in `SharedLinks`, the request bypasses authentication entirely, even if the `?ws` (WebSocket) parameter is present. This allows an attacker to access features intended to be restricted, such as directory listing, file deletion, clipboard access, WebSocket connections, and CLI command execution. A proof-of-concept (PoC) demonstrates the ability to execute commands like `id` and `cat /etc/passwd` without authentication using a share token. **Recommendations** Update goshs to version 2.0.0-beta.2 or later.