Morimori-Dev

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.34.8 **Description** An authenticated user can trigger server-side requests to internal network addresses. This occurs because the `processUrlFile()` function in `packages/server/src/automations/steps/ai/extract.ts` uses `fetch(fileUrl)` directly, bypassing the IP blacklist validation applied to other automation steps. This allows access to cloud metadata endpoints, internal network scanning, and access to internal APIs. The `fileUrl` variable is the vulnerable parameter used to initiate these requests. **Recommendations** Update to version 3.34.8. As a temporary workaround, restrict the use of the AI Extract File step with the source set to URL until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Wallos versions prior to 4.8.1 **Description** Authenticated users can perform Blind Server-Side Request Forgery (SSRF) to internal services in Tailscale, Carrier-Grade NAT (CGNAT), and other environments using 100.64.0.0/10 addresses. This occurs because the logo and icon URL fetching mechanisms use an inline IP validation check that fails to block CGNAT addresses, despite a helper function `is cgnat ip()` being available in the system. The issue affects the 'endpoints/subscription/add.php' and 'endpoints/payments/add.php' endpoints. **Recommendations** Update to version 4.8.1.

**Name of the Vulnerable Software and Affected Versions** Gotenberg versions 8.30.1 and earlier **Description** Gotenberg is an API-based document conversion tool. The default private-IP deny-lists for the `--webhook-deny-list` and `--api-download-from-deny-list` flags use a case-sensitive regular expression to match URL schemes. Because the `net/url.Parse()` function normalizes the scheme to lowercase before establishing an outbound TCP connection, an attacker can bypass the deny-list by capitalizing part of the URL scheme (e.g., `HTTP://`, `HTTPS://`, or `Http://`). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints. The issue involves the `FilterDeadline()` function and specific logic within `pkg/modules/webhook/webhook.go` and `pkg/modules/api/api.go`. **Recommendations** Update Gotenberg to version 8.31.0.

**Name of the Vulnerable Software and Affected Versions** Gotenberg versions 8.x through 8.30.1 **Description** An improper input validation issue exists in the metadata write endpoint '/forms/pdfengines/metadata/write'. While metadata keys are validated, metadata values are passed unsanitized to the `WriteMetadata()` function. An attacker can inject a newline character (` `) into a metadata value to split the ExifTool stdin line, allowing the injection of arbitrary ExifTool pseudo-tags such as `-FileName`, `-Directory`, `-SymLink`, and `-HardLink`. This can enable an unauthenticated attacker to rename or move processed PDFs to arbitrary paths in the container filesystem, overwrite system files, or create symlinks and hard links at arbitrary paths. **Recommendations** Upgrade to version 8.31.0. As a temporary workaround, restrict access to the '/forms/pdfengines/metadata/write' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** YesWiki versions prior to 4.6.1 **Description** The bazar module contains a SQL injection flaw in the `tools/bazar/services/EntryManager.php` file. The issue occurs because the `id fiche` value, sourced from the `$ POST['id fiche']` variable, is concatenated directly into a raw SQL query without sanitization or parameterization. This allows an authenticated user to execute arbitrary SQL commands via the '/api/entries/{formId}' endpoint by manipulating the `id fiche` parameter. The vulnerability is triggered within the `create()` function, which calls `formatDataBeforeSave()`, eventually passing the unsanitized input to the `loadSingle()` function. **Recommendations** Update to version 4.6.1. As a temporary workaround, restrict access to the '/api/entries/{formId}' endpoint or avoid using the `id fiche` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Chamilo version 2.0.0-RC.2 **Description** An issue exists in the statistics AJAX endpoint where the `date start` and `date end` parameters in the `users active` action within the 'public/main/inc/ajax/statistics.ajax.php' file are not sanitized. These parameters are directly interpolated into a SQL query, allowing an authenticated admin to perform time-based blind SQL injection to extract arbitrary data from the database. **Recommendations** Update to version 2.0.0.

Name of the Vulnerable Software and Affected Versions Cronicle versions prior to 0.9.111 Description Cronicle is a multi-server task scheduler and runner with a web-based front-end UI. A non-admin user with `create events` and `run events` privileges can inject arbitrary JavaScript through job output fields, including `html.content`, `html.title`, `table.header`, `table.rows`, and `table.caption`. The server stores this data without sanitization, and the client renders it via `innerHTML` on the Job Details page. Recommendations Update to version 0.9.111 or later.

Name of the Vulnerable Software and Affected Versions LinkAce versions prior to 2.5.4 Description LinkAce, a self-hosted archive for website links, has an issue where the `LinkRepository::update` and `CheckLinksCommand::checkLink` functions do not validate private IP addresses. An authenticated user can potentially access responses from internal services, such as AWS IMDSv1, cloud metadata, and internal APIs, by creating a link with a public URL and modifying it to use a private IP. The `links:check` cron job performs server-side requests without IP filtering, which can expose cloud credentials, internal service data, and network topology. Recommendations Update to version 2.5.4 or later.

Name of the Vulnerable Software and Affected Versions OpenObserve versions prior to 0.70.4 Description OpenObserve, a cloud-native observability platform, has an issue where the `validate enrichment url` function in `src/handler/http/request/enrichment table/mod.rs` does not properly block IPv6 addresses. The Rust url crate returns IPv6 addresses with surrounding brackets (e.g., '[::1]' instead of '::1'). This allows an authenticated attacker to access internal services that are blocked from external access. In cloud deployments, this can lead to the retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. In self-hosted deployments, it allows probing of internal network services. Recommendations Update to version 0.70.4 or later.

Name of the Vulnerable Software and Affected Versions Cronicle versions prior to 0.9.111 Description Cronicle is a multi-server task scheduler and runner with a web-based front-end UI. Before version 0.9.111, job (jb) child processes could include an `update event` key in their JSON output. The server applied this directly to the parent event’s stored configuration without authorization checks. A low-privilege user capable of creating and running events could modify any event property, including webhook URLs and notification emails. Recommendations Update to version 0.9.111 or later.

**Name of the Vulnerable Software and Affected Versions** pyLoad versions 0.5.0b3.dev96 and earlier **Description** pyLoad, a Python-based download manager, has an issue in the `parse urls` API function located in `src/pyload/core/api/ init .py`. This function retrieves URLs server-side using `get url(url)` (pycurl) without validating the URL, restricting protocols, or implementing an IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints. They can also read local files via the `file://` protocol, interact with internal services using `gopher://` and `dict://` protocols, and enumerate file existence through an error-based oracle. The `get url()` function is used without any restrictions, allowing access to various protocols and internal resources. **Recommendations** Restrict allowed protocols and validate target addresses. Implement a function like ` is safe url()` to check if the URL scheme is 'http' or 'https', and verify that the hostname resolves to a non-private, non-loopback, and non-reserved IP address before making the request.

**Name of the Vulnerable Software and Affected Versions** Nautobot versions prior to 2.4.30 Nautobot versions prior to 3.0.10 **Description** The application fails to enforce password validation rules defined by Django's `AUTH PASSWORD VALIDATORS` setting when creating or editing users via the REST API. This setting, configurable in `nautobot config.py`, can be used to apply various password complexity rules. The issue allows for the creation or modification of user accounts with weak or non-compliant passwords. User management through the admin UI correctly enforces password validation. The vulnerable component is the REST API used for user creation and editing. The affected API endpoints are those used for user creation and modification. The `AUTH PASSWORD VALIDATORS` variable is central to the issue. **Recommendations** Versions prior to 2.4.30 should be updated to version 2.4.30 or later. Versions prior to 3.0.10 should be updated to version 3.0.10 or later. Review user permissions for accounts with access to create and modify user accounts via the REST API and restrict access as appropriate. Consider rotating passwords for user accounts suspected of having weak passwords.

**Name of the Vulnerable Software and Affected Versions** Invoice Ninja versions 5.13.0 through 5.13.3 **Description** Invoice Ninja, an invoice, quote, project, and time-tracking application built with Laravel, has an issue where the product notes fields in versions 5.13.0 through 5.13.3 allow raw HTML through Markdown rendering, potentially leading to stored cross-site scripting (XSS). The Markdown parser's output was not properly sanitized using the `purify::clean()` function before being included in invoice templates. This could allow an attacker to inject malicious code into the system. **Recommendations** Update to version 5.13.4 or later.

**Name of the Vulnerable Software and Affected Versions** Lychee versions prior to 7.5.3 **Description** Lychee is a free, open-source photo-management tool. Before version 7.5.3, the photo `description` field was stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` API endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. **Recommendations** Update to version 7.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Lychee versions prior to 7.5.2 **Description** Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the Server-Side Request Forgery (SSRF) protection in `PhotoUrlRule.php` could be bypassed using DNS rebinding. The IP validation check (lines 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter var($host, FILTER VALIDATE IP)` returns `false`, skipping the entire check. This allows for potential unauthorized access or actions through the vulnerable application. **Recommendations** Update to Lychee version 7.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Invoice Ninja versions 5.13.0 through 5.13.3 **Description** Invoice Ninja allows for the execution of stored cross-site scripting (XSS) payloads through invoice line item descriptions in versions 5.13.0 through 5.13.3. The line item description field did not undergo proper sanitization using `purify::clean()` before rendering, enabling attackers to inject malicious code. An attacker, any authenticated user capable of creating invoices, can exploit this to target any user viewing the invoice, including clients accessing the portal. Potential consequences include session hijacking, account takeover, and data exfiltration. The vulnerable parameter is the line item description field. The vulnerable function is the rendering process of invoices in the PDF preview and client portal. **Recommendations** Upgrade to version 5.13.4 or later to benefit from the fix, which implements `purify::clean()` to sanitize line item descriptions.