Naveen Sunkavally

**Name of the Vulnerable Software and Affected Versions** Apache Solr versions 9.4.0 through 9.10.1 Apache Solr version 10.0.0 **Description** The Basic Authentication setup tool `bin/solr auth enable` contains hardcoded credentials. This allows a remote attacker to gain full administrative access to the cluster using publicly known default credentials that are installed silently alongside the account specified by the user. **Recommendations** For versions 9.4.0 through 9.10.1, upgrade to version 9.11.0. For version 10.0.0, upgrade to version 10.1.0. As a temporary workaround, delete the template users (`superadmin`, `admin`, `search`, `index`) from `security.json` or change their passwords.

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ Broker versions prior to 5.19.7 Apache ActiveMQ Broker versions 6.0.0 through 6.2.5 Apache ActiveMQ All versions prior to 5.19.7 Apache ActiveMQ All versions 6.0.0 through 6.2.5 Apache ActiveMQ versions prior to 5.19.7 Apache ActiveMQ versions 6.0.0 through 6.2.5 **Description** An improper input validation and code injection issue exists in Apache ActiveMQ Classic. The software exposes the Jolokia JMX-HTTP bridge at the '/api/jolokia/' endpoint on the web console. The default access policy allows execution operations on all ActiveMQ MBeans, specifically the `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` functions. An authenticated attacker can use a crafted discovery URI to trigger the `brokerConfig` parameter of the VM transport to load a remote Spring XML application context via `ResourceXmlApplicationContext`. Since this context instantiates singleton beans before configuration validation, arbitrary code can be executed on the broker's JVM through bean factory methods like `Runtime.exec()`. This issue has been exploited in the wild. Non-parenthesized discovery wrappers, such as `masterslave:vm://...,...` and `static:vm://...`, can be used to bypass previous fixes. **Recommendations** Upgrade Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ to version 5.19.7 or 6.2.6. Restrict or disable Jolokia execution operations and enforce strong authentication and strict Jolokia policies. Block or limit network access to the '/api/jolokia/' endpoint and restrict the web console to trusted management networks.

Name of the Vulnerable Software and Affected Versions osTicket versions 1.17.x prior to 1.17.7 and 1.18.x prior to 1.18.3 Description osTicket versions 1.17.x prior to 1.17.7 and 1.18.x prior to 1.18.3 contain an arbitrary file read issue in the ticket PDF export functionality. An attacker can submit a ticket with crafted rich-text HTML containing PHP filter expressions that are not properly sanitized before being processed by the mPDF PDF generator during export. Exporting the ticket to PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, potentially disclosing sensitive local files within the context of the osTicket application user. This is exploitable in default configurations where guests can create tickets and access ticket status, or where self-registration is enabled. The issue allows for the reading of arbitrary server files, including sensitive configuration data such as database credentials and secret key material. Recommendations Update to osTicket version 1.17.7 or later. Update to osTicket version 1.18.3 or later.

**Name of the Vulnerable Software and Affected Versions** Langflow versions prior to 1.3.0 **Description** Langflow is susceptible to code injection due to a lack of authentication in a critical function. A remote and unauthenticated attacker can send crafted HTTP requests to the '/api/v1/validate/code' endpoint to execute arbitrary code on the server, potentially leading to a full server takeover. The issue involves the `code` parameter, which allows the transmission of Python code that can be executed via the `exec()` function and the `subprocess.check output()` function. Real-world exploitation has been observed involving the Flodrix botnet, which uses Python-based malware to conduct DDoS attacks and steal data from compromised systems. Attackers have utilized open-source exploits and reconnaissance tools like Shodan to identify publicly accessible servers. To avoid detection, the malware employs evasion techniques such as string obfuscation and self-deletion. **Recommendations** Update to version 1.3.0 or newer. Restrict network access to the API to eliminate public exposure. Block POST requests to the '/api/v1/validate/code' endpoint that contain the 'Content-Type: application/json' header and Python operators such as `exec`, `Exception`, `import`, `print`, or `system` in the request body.

**Name of the Vulnerable Software and Affected Versions** PaperCut NG and PaperCut MF versions prior to 22.1.3 **Description** The issue allows path traversal, enabling attackers to upload, read, or delete arbitrary files, leading to remote code execution when external device integration is enabled. This is a high-severity security flaw that could result in remote code execution under specific circumstances. It is estimated that many academic institutions are affected, with 585 vulnerable IPs found. **Recommendations** For versions prior to 22.1.3, update to version 22.1.3 or later to protect against this issue. As a temporary workaround, consider disabling external device integration until a patch is available. Restrict access to the vulnerable WebDAV module to minimize the risk of exploitation. Avoid using the vulnerable `WebDAV` endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Superset versions up to and including 2.1.0 **Description** The issue is related to the use of alternative driver names when importing a database, which could allow a remote attacker to create arbitrary files and gain unauthorized access to protected information by connecting to SQLite databases. This could result in unexpected file creation on Superset web servers. If Apache Superset is using a SQLite database for its metadata, it could lead to more severe vulnerabilities related to confidentiality and integrity. **Recommendations** For Apache Superset versions up to and including 2.1.0, update to a version later than 2.1.0 to resolve the issue. As a temporary workaround, consider restricting the use of alternative driver names like `sqlite+pysqlite` to minimize the risk of exploitation. Avoid using database imports that could lead to incorrect registration of SQLite database connections until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Superset versions 1.5.0 through 2.1.0 **Description** The issue is related to a software vulnerability in Apache Superset, specifically a deserialization mechanism flaw. If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata database is an internal component, typically only accessible directly by the system administrator and the Superset process itself, and gaining access to it should be difficult and require significant privileges. Approximately 15,849 results were found, indicating potential exposure. **Recommendations** To resolve the issue, users are recommended to upgrade to Apache Superset version 2.1.1 or later. As a temporary workaround, consider restricting access to the Superset metadata database to minimize the risk of exploitation. Additionally, system administrators should ensure that the Superset process itself and the metadata database are properly secured to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** NextGen Healthcare Mirth Connect versions prior to 4.4.1 **Description** The issue is related to an incomplete patch for a previous vulnerability, leading to unauthenticated remote code execution. This vulnerability is caused by insufficient access control in the Mirth Connect web server, allowing an attacker to execute arbitrary code remotely. The vulnerability is related to insecure usage of the Java XStream library for unmarshalling XML payloads. It has been reported that this vulnerability is being actively exploited, and it poses a significant risk to healthcare companies using the Mirth Connect platform. **Recommendations** Update to version 4.4.1 or later to prevent unauthorized access. As a temporary workaround, consider restricting access to the Mirth Connect administrator interface until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Apache Superset versions up to and including 2.0.1 **Description** The issue concerns a session validation flaw in Apache Superset, where installations that have not altered the default configured `SECRET KEY` according to installation instructions allow an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for `SECRET KEY` config. The `SECRET KEY` is used to securely sign all session cookies and encrypt sensitive information on the database. Approximately 2,124 servers are potentially affected, with 67% of open internet-facing servers still using the default configuration. **Recommendations** For versions up to and including 2.0.1, add a strong `SECRET KEY` to your `superset config.py` file, like `SECRET KEY = <YOUR OWN RANDOM GENERATED SECRET KEY>`. Alternatively, you can set it with the `SUPERSET SECRET KEY` environment variable. As a temporary workaround, consider changing the default `SECRET KEY` to prevent exploitation until a patch is applied or the version is updated. For the best protection, update to version 2.1 or later, which does not allow the server to run with the default `SECRET KEY`.

**Name of the Vulnerable Software and Affected Versions** Apache Superset versions 1.3.0 through 2.0.1 **Description** An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. **Recommendations** For Apache Superset versions 1.3.0 through 2.0.1, consider restricting access to the REST API endpoint that allows access to database connections stored passwords until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADAudit Plus versions prior to 7060 **Description** The issue is related to the cewolf component in Zoho ManageEngine ADAudit Plus, which is vulnerable to an unauthenticated XXE attack due to incorrect restriction of XML external entity references. This can allow a remote attacker to conduct XXE attacks, leading to Remote Code Execution. The vulnerability can be exploited through the `/cewolf` endpoint, which is vulnerable to path traversal and blind XML external entity injection, allowing an attacker to upload and execute files. **Recommendations** For Zoho ManageEngine ADAudit Plus versions prior to 7060, update to version 7060 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/cewolf` endpoint until a patch is applied. Avoid using the cewolf component in Zoho ManageEngine ADAudit Plus until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Mautic versions prior to 2.16.5 Mautic versions prior to 3.2.4 Description: A cross-site scripting (XSS) issue in the forms component allows remote attackers to inject executable JavaScript via `mautic[return]`. This could allow an attacker unauthorized administrator-level access to Mautic. The vulnerability was reported by Naveen Sunkavally at Horizon3.ai. Recommendations: For versions prior to 2.16.5, upgrade to 2.16.5. For versions prior to 3.2.4, upgrade to 3.2.4. As a temporary workaround, consider restricting access to the forms component until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Mautic versions prior to 2.16.5 Mautic versions prior to 3.2.4 Description: A cross-site scripting (XSS) issue in the assets component allows remote attackers to inject executable JavaScript through the Referer header of asset downloads. This could allow an attacker unauthorized administrator-level access to Mautic. Recommendations: For versions prior to 2.16.5, upgrade to 2.16.5. For versions prior to 3.2.4, upgrade to 3.2.4.

**Name of the Vulnerable Software and Affected Versions** eramba versions through c2.8.1 **Description** The issue allows HTTP Host header injection, which can result in wkhtml2pdf PDF printing by authenticated users. **Recommendations** For versions through c2.8.1, consider restricting access to authenticated users to minimize the risk of exploitation. As a temporary workaround, consider disabling the use of wkhtml2pdf for PDF printing until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.