Offensiveee

**Name of the Vulnerable Software and Affected Versions** Portainer Community Edition versions 2.33.0 through 2.33.7 Portainer Community Edition versions 2.39.0 through 2.39.1 Portainer Community Edition versions prior to 2.41.0 **Description** Portainer includes a security setting to disable bind mounts for non-administrators, intended to prevent regular users from binding host paths into containers via the Portainer-mediated Docker API. However, the enforcement mechanism only inspected the `HostConfig.Binds` array and ignored the equivalent `HostConfig.Mounts` array. Since both fields are interchangeable on the Docker daemon, an authenticated user with container-creation rights can bypass this restriction by submitting a `bind`-typed entry under `HostConfig.Mounts` at the 'POST /containers/create' endpoint. This allows the user to mount any host path into their container, potentially gaining read or write access to the host filesystem as the Docker daemon user (typically `root`). This can lead to the exposure of sensitive files, compromise of other containers on the same host, or full Docker API access if the Docker socket is mounted. **Recommendations** Update Portainer Community Edition versions 2.33.0 through 2.33.7 to 2.33.8. Update Portainer Community Edition versions 2.39.0 through 2.39.1 to 2.39.2. Update Portainer Community Edition versions prior to 2.41.0 to 2.41.0. Revoke container-create rights from non-administrator accounts on affected environments. Segregate tenants by environment to provide stronger control than the bind-mount toggle.

**Name of the Vulnerable Software and Affected Versions** Piwigo versions prior to 16.3.0 **Description** An information disclosure issue exists in the open source photo gallery application where the 'pwg.history.search' API method is registered without the `admin only` option. This allows unauthenticated users to access the complete browsing history of all gallery visitors. **Recommendations** Update to version 16.3.0.

**Name of the Vulnerable Software and Affected Versions** Lychee versions prior to 7.5.1 **Description** Lychee is a free, open-source photo-management tool. A flaw exists in the IP validation check within the patch for an SSRF issue related to `Photo::fromUrl`. This incomplete check fails to block loopback and link-local addresses. Before version 7.5.1, an authenticated user could access internal services using direct IP addresses, bypassing all four protection configurations, even with secure default settings. **Recommendations** Update to version 7.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions 1.8.208 and below **Description** FreeScout is a help desk and shared inbox application built with the Laravel PHP framework. A broken access control issue exists in the `ThreadPolicy::edit()` method. This allows any authenticated user, regardless of their role or mailbox access, to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages and bypasses the entire mailbox permission model, potentially leading to GDPR compliance violations. The `ThreadPolicy::edit()` function is vulnerable to unauthorized access. The vulnerable parameter is not specified. **Recommendations** Upgrade to version 1.8.209 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** WWBN AVideo versions 25.0 and below **Description** The /objects/encryptPass.json.php endpoint in WWBN AVideo exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. The `encryptPassword()` function uses a weak hash chain (md5+whirlpool+sha1, no salt by default), making password cracking extremely fast with access to database hashes. The vulnerable file is `objects/encryptPass.json.php`, and the vulnerable function is `encryptPassword()`. The `encryptPassword()` function is located in `objects/functions.php` around line 2101. The vulnerable parameter is `pass` in the API endpoint `/objects/encryptPass.json.php`. **Recommendations** Versions 25.0 and below should be updated to version 26.0 or later.

**Name of the Vulnerable Software and Affected Versions** AVideo versions 25.0 and below **Description** AVideo, an open source video platform, has an issue where the `/objects/phpsessionid.json.php` endpoint exposes the current PHP session ID to any unauthenticated request. The `allowOrigin()` function reflects any `Origin` header back in `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`, which enables cross-origin session theft and full account takeover. An attacker can host a malicious page that, when visited by a logged-in AVideo user, steals their PHP session ID due to the permissive CORS policy. This allows the attacker to impersonate the user with full privileges. The vulnerable file is `objects/phpsessionid.json.php`, and the vulnerable function is `allowOrigin()`. The `allowOrigin()` function is located in `objects/functions.php` (line ~2648). The vulnerability allows an attacker to make a credentialed cross-origin request and read the session ID. **Recommendations** Versions prior to 26.0 should be updated.