Mdisec

**Name of the Vulnerable Software and Affected Versions** CloudNativePG versions prior to 1.28.3 CloudNativePG versions prior to 1.29.1 **Description** The metrics exporter in CloudNativePG opens a PostgreSQL connection as the `postgres` superuser via the pod-local Unix socket and subsequently demotes the session using `SET ROLE pg monitor`. Because `SET ROLE` only modifies the `current user` while the `session user` remains `postgres`, any SQL expression evaluated during a scrape session can execute `RESET ROLE` to recover superuser privileges. An attacker can then use the `COPY ... TO PROGRAM` command to spawn an OS-level subprocess as the `postgres` user within the primary pod. The `READ ONLY` transaction flag does not prevent this as it only restricts writes to the database state, not external processes. There are two primary exploitation paths: 1. Custom metric queries using unqualified identifiers: A user owning a schema on the `search path` can plant a shadow object. When the exporter evaluates the query, the shadow expression executes with superuser privileges. 2. Default monitoring configuration: The `pg extensions` metric in `default-monitoring.yaml` used an unqualified `current database()` call across all target databases. Any non-superuser owning a user database could shadow this function to trigger the escalation. This allows a low-privileged database role to escalate to PostgreSQL superuser and achieve remote code execution (RCE) as the `postgres` user inside the primary pod. **Recommendations** Upgrade to version 1.28.3 or 1.29.1. As a temporary workaround, schema-qualify all identifiers in custom metric queries by using explicit `pg catalog.` prefixes for all catalog functions and views. Restrict database ownership to ensure only fully trusted roles own user databases in scraped clusters. Limit the scope of `target databases: '*'` queries to specific, known-safe databases. Avoid exposing metric query SQL to untrusted users.

prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests to the /api/media-generate endpoint to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies.

Name of the Vulnerable Software and Affected Versions prompts.chat versions prior to commit 0f8d4c3 Description prompts.chat before commit 0f8d4c3 has a path traversal flaw in how it handles skill files. Attackers can create malicious ZIP archives with filenames containing path traversal sequences, like `../`, to write arbitrary files to the client system. The lack of server-side filename validation allows attackers to inject these sequences. Extracting these archives with vulnerable tools can lead to files being written outside the intended directory, potentially overwriting shell initialization files and achieving code execution. Recommendations Update prompts.chat to commit 0f8d4c3 or later.

**Name of the Vulnerable Software and Affected Versions** prompts.chat versions prior to commit 30a8f04 **Description** An issue in the Fal.ai media status polling feature allows authenticated users to perform arbitrary outbound requests. By supplying attacker-controlled URLs in the `token` parameter, the lack of URL validation can be exploited to disclose the `FAL API KEY` within the Authorization header. This can lead to credential theft, internal network probing, and unauthorized abuse of the victim's Fal.ai account. Server-side request forgery is a flaw where a server is tricked into making requests to an unintended location. **Recommendations** Update prompts.chat to commit 30a8f04 or a later version. Avoid using the `token` parameter in the Fal.ai media status polling feature until the update is applied.

Name of the Vulnerable Software and Affected Versions prompts.chat versions prior to commit 1464475 Description prompts.chat is susceptible to an identity confusion issue stemming from inconsistent case sensitivity in username handling during write and read operations. This allows attackers to create usernames that differ only in case, bypassing uniqueness checks. Successful exploitation enables attackers to impersonate legitimate users, replace profile content associated with canonical URLs, and inject malicious metadata and content into the platform. Recommendations Update prompts.chat to a version after commit 1464475.

**Name of the Vulnerable Software and Affected Versions** Mailpit versions prior to 1.28.3 **Description** Mailpit, an email testing tool and API for developers, contains a Server-Side Request Forgery (SSRF) issue. This flaw is related to the HTML Check CSS Download functionality, specifically within the HTML Check feature accessible via the `/api/v1/message/{ID}/html-check` API endpoint. The `inlineRemoteCSS()` function automatically downloads CSS files from external sources specified in `<link rel="stylesheet" href="...">` tags during HTML analysis. This process can be exploited to trigger requests to unintended locations. **Recommendations** Update to Mailpit version 1.28.3 or later.

**Name of the Vulnerable Software and Affected Versions** PostHog (affected versions not specified) **Description** The issue concerns a SQL injection vulnerability in PostHog's ClickHouse table functions, potentially leading to remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PostHog versions (affected versions not specified) **Description** The issue concerns a Server-Side Request Forgery (SSRF) and Information Disclosure vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PostHog (affected versions not specified) **Description** The issue is related to a Server-Side Request Forgery (SSRF) and Information Disclosure vulnerability in the database schema of PostHog. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arista NG Firewall (affected versions not specified) **Description** This issue allows remote attackers to create arbitrary files and disclose sensitive information on affected installations of Arista NG Firewall. Authentication is required to exploit this issue. The specific flaw exists within the ReportEntry class and results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the www-data user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arista NG Firewall (affected versions not specified) **Description** This issue allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is not required to exploit this issue. The specific flaw exists within the implementation of the `custom handler` method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this issue to execute code in the context of the `www-data` user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Arista NG Firewall (affected versions not specified) **Description** This issue allows local attackers to escalate privileges on affected installations of Arista NG Firewall. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this issue. The specific flaw exists within the `uvm login` module. The issue results from incorrect authorization. An attacker can leverage this to escalate privileges to resources normally protected from the user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Arista NG Firewall (affected versions not specified) **Description** This issue allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is required to exploit this issue. The specific flaw exists within the ExecManagerImpl class, resulting from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** PostHog (affected versions not specified) **Description** This issue allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this issue. The specific flaw exists within the implementation of the `database schema` method, resulting from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this issue to execute code in the context of the service account. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Cohesive Networks VNS3 (affected versions not specified) Description: This issue allows remote attackers to execute arbitrary code on affected installations of Cohesive Networks VNS3. Authentication is required to exploit this issue. The specific flaw exists within the web service, which listens on TCP port 8000 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root. Recommendations: At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Cohesive Networks VNS3 (affected versions not specified) Description: This issue allows remote attackers to execute arbitrary code on affected installations of Cohesive Networks VNS3. Authentication is required to exploit this issue. The specific flaw exists within the web service, which listens on TCP port 8000 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root. Recommendations: At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Cohesive Networks VNS3 (affected versions not specified) Description: This issue allows remote attackers to execute arbitrary code on affected installations of Cohesive Networks VNS3. Authentication is not required to exploit this issue. The specific flaw exists within the web service, which listens on TCP port 8000 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root. Recommendations: At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Cohesive Networks VNS3 (affected versions not specified) Description: This issue allows remote attackers to execute arbitrary code on affected installations of Cohesive Networks VNS3. Authentication is not required to exploit this issue. The specific flaw exists within the web service, which listens on TCP port 8000 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root. Recommendations: At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Logsign Unified SecOps Platform (affected versions not specified) Description: This issue allows remote attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. The specific flaw exists within the implementation of the HTTP API, resulting from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root. Recommendations: At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Logsign Unified SecOps Platform (affected versions not specified) Description: The issue is related to an authentication bypass vulnerability in the Logsign Unified SecOps Platform. This vulnerability allows remote attackers to bypass authentication on affected installations. The specific flaw exists within the password reset mechanism, which lacks restriction of excessive authentication attempts. An attacker can leverage this vulnerability to reset a user's password and bypass authentication on the system. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.