N-Thumann

**Name of the Vulnerable Software and Affected Versions** Zoraxy versions 2.6.1 through 3.1.2 **Description** A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In the `HandleCreateProxySession` function, the request to create an SSH session is handled. An attacker can exploit the `username` variable to escape from the bash command and inject arbitrary commands into `sshCommand`. This is possible because, unlike hostname and port, the `username` is not validated or sanitized. If Zoraxy is run without authentication of the management interface or run in Docker with the Docker socket mounted, this vulnerability can be exploited without authentication or to escape the Zoraxy container and gain access to the Docker host. **Recommendations** For Zoraxy versions 2.6.1 through 3.1.2, update to a version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the Web SSH feature until a patch is available. Restrict access to the `HandleCreateProxySession` function to minimize the risk of exploitation. Avoid using the `username` variable in the affected API endpoint until the issue is resolved. If running Zoraxy in Docker, ensure the Docker socket is not mounted to prevent container escape. If running Zoraxy without authentication, enable authentication for the management interface to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** librespeed/speedtest versions 5.2.5 through 5.3.0 **Description** The issue arises from missing neutralization of the ISP information in a speedtest result, leading to stored Cross-site scripting in the JSON API. The `processedString` field in the `ispinfo` parameter is missing neutralization. It is stored when a user submits a speedtest result to the telemetry API (`results/telemetry.php`) and returned in the JSON API (`results/json.php`). This vulnerability was introduced in commit 3937b94 and affects LibreSpeed speedtest instances with telemetry enabled. **Recommendations** For versions 5.2.5 through 5.3.0, upgrade to version 5.3.1 to address the issue. As a temporary workaround, consider disabling the telemetry API (`results/telemetry.php`) and the JSON API (`results/json.php`) until the upgrade is possible. Restrict access to the `ispinfo` parameter to minimize the risk of exploitation. Avoid using the `processedString` field in the `ispinfo` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** reNgine versions prior to 2.1.2 **Description** The issue allows OS Command Injection if an adversary has a valid session ID. The attack involves placing shell metacharacters in an "api/tools/waf detector/?url=" string. The commands are executed as root via `subprocess.check output()`. **Recommendations** For versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "api/tools/waf detector/?url=" endpoint until a patch is available. Avoid using the `url` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Uptime Kuma versions prior to 1.22.1 **Description** The issue allows an authenticated attacker to install a maliciously crafted plugin, potentially leading to remote code execution. Uptime Kuma permits authenticated users to install plugins from an official list, although this feature is currently disabled in the web interface. The corresponding API endpoints remain available after login. A malicious plugin can exploit npm scripts to gain remote code execution because the plugin is not validated against the official list or installed with `npm install --ignore-scripts`. **Recommendations** For versions prior to 1.22.1, update to version 1.22.1 or later to resolve the issue. As a temporary workaround, consider disabling the plugin installation feature until a patch is available. Restrict access to the API endpoints related to plugin installation to minimize the risk of exploitation. Avoid using the `npm install` command without the `--ignore-scripts` option in the plugin installation directory until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Uptime Kuma versions prior to 1.22.1 **Description** A path traversal vulnerability allows an authenticated attacker to delete files on the server, leading to unavailability and potentially data loss. Uptime Kuma allows authenticated users to install plugins from an official list of plugins, although this feature is currently disabled in the web interface. The corresponding API endpoints are still available after login. Before a plugin is downloaded, the plugin installation directory is checked for existence, and if it exists, it's removed before the plugin installation. Because the plugin is not validated against the official list of plugins or sanitized, the check for existence and the removal of the plugin installation directory are prone to path traversal. This vulnerability enables an authenticated attacker to delete files from the server Uptime Kuma is running on, potentially causing Uptime Kuma or the whole system to become unavailable due to data loss. **Recommendations** For versions prior to 1.22.1, update to version 1.22.1 or later to resolve the issue. As a temporary workaround, consider disabling the plugin installation feature until a patch is available. Restrict access to the API endpoints related to plugin installation to minimize the risk of exploitation. Avoid using the plugin installation directory in a way that could lead to path traversal until the issue is resolved.