N0Rv-Tvt

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.42 Description The OneUptime platform's Worker service ManualAPI exposes workflow execution endpoints without authentication. Specifically, the GET and POST endpoints `/workflow/manual/run/:workflowId` are vulnerable. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data. This can lead to JavaScript code execution, notification abuse, and data manipulation. Recommendations Update to version 10.0.42 or later.

**Name of the Vulnerable Software and Affected Versions** FileRise versions prior to 3.8.0 **Description** FileRise is a self-hosted web file manager and WebDAV server. A missing authentication check in the `deleteShareLink` endpoint allows unauthenticated users to delete arbitrary file share links by providing only the share token, leading to denial of service for shared file access. The `/api/file/deleteShareLink.php` API endpoint calls the `FileController::deleteShareLink()` function, which does not perform authentication, authorization, or CSRF validation before deleting a share link. Any anonymous HTTP client can destroy share links. The vulnerable parameter is the share token. **Recommendations** Update FileRise to version 3.8.0 or later.

**Name of the Vulnerable Software and Affected Versions** FileRise versions prior to 3.8.0 **Description** FileRise is a self-hosted web file manager and WebDAV server. Prior to version 3.8.0, the WebDAV upload endpoint accepts any file extension, including .phtml, .php5, .htaccess, and other server-side executable types. This bypasses the filename validation enforced by the regular upload path. In deployments without Apache’s LocationMatch protection, this can lead to remote code execution. The `createFile()` method in `FileRiseDirectory.php` and the `put()` method in `FileRiseFile.php` accept filenames directly from the WebDAV client without validation, unlike the regular upload endpoint which uses `REGEX FILE NAME` for validation. **Recommendations** Versions prior to 3.8.0 should be updated to version 3.8.0 or later.

**Name of the Vulnerable Software and Affected Versions** FileRise versions prior to 3.9.0 **Description** FileRise is a self-hosted web file manager and WebDAV server. Versions prior to 3.9.0 utilize a hardcoded default encryption key (`default please change this key`) for all cryptographic operations, including HMAC token generation, AES configuration encryption, and session tokens. This allows an unauthenticated attacker to forge upload tokens, enabling arbitrary file uploads to shared folders, and to decrypt administrator configuration secrets, such as OIDC client secrets and SMTP passwords. The software uses a single key (`PERSISTENT TOKENS KEY`) for all cryptographic operations, and the default value is used unless explicitly overridden by the deployer through an environment variable. **Recommendations** Versions prior to 3.9.0 should be updated to version 3.9.0 or later.

**Name of the Vulnerable Software and Affected Versions** OneUptime versions prior to 10.0.34 **Description** OneUptime, a service monitoring solution, had a critical issue in its WhatsApp POST webhook handler (`/notification/whatsapp/webhook`). This handler did not verify the Meta/WhatsApp `X-Hub-Signature-256` HMAC signature for incoming status update events. This allowed unauthenticated attackers to forge webhook payloads, potentially manipulating notification delivery status records, suppressing alerts, and corrupting audit trails. The Slack webhook handler within the same codebase correctly implements signature verification. An attacker could exploit this by sending crafted POST requests to the `/notification/whatsapp/webhook` endpoint without providing a valid signature. This could lead to false delivery status reports, suppression of critical alerts, and manipulation of audit logs. The vulnerable code resides in `App/FeatureSet/Notification/API/WhatsApp.ts` lines 372-430. **Recommendations** Versions prior to 10.0.34 should be updated to version 10.0.34 or later to address the missing signature verification in the WhatsApp POST webhook handler.

**Name of the Vulnerable Software and Affected Versions** OneUptime versions prior to 10.0.24 **Description** OneUptime, a service for monitoring and managing online services, has an issue in its password reset process. Before version 10.0.24, the complete password reset URL, including the plaintext reset token, was logged at the INFO level. This logging level is enabled by default in production environments. Anyone with access to application logs—such as those from log aggregation systems, Docker, or Kubernetes—could potentially intercept these tokens and take over user accounts. The vulnerable code is located in `App/FeatureSet/Identity/API/Authentication.ts` lines 370-371, where the `tokenVerifyUrl` is logged. Additionally, login request data, including cleartext passwords, is logged at the DEBUG level on line 909. The `tokenVerifyUrl` takes the form of a complete URL like `https://app.oneuptime.com/accounts/reset-password/<plaintext-token>`. This issue allows for account takeover due to the systematic logging of every password reset request, potentially exposing all password reset tokens to individuals with log reader access. **Recommendations** Versions prior to 10.0.24 should be updated to version 10.0.24 or later.