Mr-In4Inci3Le

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to 1.0.0-beta.2 **Description** Improper validation in the 'PUT /rustfs/admin/v3/import-iam' endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled `parent`, `claims`, `accessKey`, and `secretKey` values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access through the use of a persistent, attacker-defined credential. **Recommendations** Update to version 1.0.0-beta.2. As a temporary workaround, restrict access to the 'PUT /rustfs/admin/v3/import-iam' endpoint or limit the assignment of ImportIAMAction permissions.

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to 1.0.0-beta.2 **Description** Improper authorization in the `UploadPartCopy` operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The system validates `GetObject` permission on the source bucket and `PutObject` on the destination bucket independently, but fails to enforce policy constraints regarding whether the destination bucket permits the specified copy source, enabling unauthorized cross-bucket data movement. **Recommendations** Update to version 1.0.0-beta.2.

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to 1.0.0-beta.2 **Description** The admin router explicitly whitelists the endpoints "/profile/cpu" and "/profile/memory" from the authentication layer, allowing unauthenticated HTTP clients to invoke profiling handlers. On supported builds, such as glibc, the handler triggers a 60-second CPU profiling operation via the `dump cpu pprof for(Duration::from secs(60))` function. This can lead to significant CPU resource consumption and a potential denial of service. Furthermore, the handler discloses the server's absolute filesystem path in the response body. **Recommendations** Update to version 1.0.0-beta.2.

**Name of the Vulnerable Software and Affected Versions** Nuxt versions 3.4.3 through 3.21.5 Nuxt versions 4.0.0-alpha.1 through 4.4.5 **Description** When using the `navigateTo()` function with the `external: true` option, the software generates a server-side HTML redirect body containing a `<meta http-equiv="refresh">` tag. The destination URL is insufficiently sanitized, as only double quotes are replaced with `%22`, while characters such as `<`, `>`, `&`, and `'` remain unencoded. An attacker who can influence the URL passed to `navigateTo(url, { external: true })` can break out of the `content` attribute to inject arbitrary HTML or JavaScript. This results in reflected cross-site scripting (XSS), where the injected script executes under the application's origin during the server-rendered redirect response. This typically occurs in applications that pass user-controlled input, such as `?next=` or `?redirect=` query parameters, to the `navigateTo()` function. **Recommendations** Update Nuxt to version 3.21.6 or later. Update Nuxt to version 4.4.6 or later. As a temporary workaround, validate user-controlled URLs before passing them to the `navigateTo()` function by normalizing them through `new URL(input).toString()` and rejecting any inputs containing `<` or `>` characters.