Offset

**Name of the Vulnerable Software and Affected Versions** Hono versions prior to 4.12.21 **Description** The `ip-restriction` middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule—such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses—do not match the normalized rule entry, which causes the rule to be silently skipped. **Recommendations** Update to version 4.12.21.

**Name of the Vulnerable Software and Affected Versions** Hono versions prior to 4.12.21 **Description** The `serialize()` function in hono/cookie fails to validate the `sameSite` and `priority` options against characters that can corrupt Set-Cookie header syntax, such as semicolons, carriage returns, and line feeds. While validation is applied to domain and path options, the lack of similar checks for these specific options allows an application passing user-controlled input to produce a Set-Cookie response header containing attacker-chosen additional attributes. **Recommendations** Update to version 4.12.21.

**Name of the Vulnerable Software and Affected Versions** Arcane versions prior to 1.19.4 **Description** An authenticated user can perform an arbitrary read of any file accessible by the Arcane backend process. This occurs because the `ProjectService.CreateProject` function writes attacker-supplied compose content to disk without validating include paths. Subsequently, the `ProjectService.GetProjectFileContent` function returns the contents of any Docker Compose include directive before path-traversal validation is executed. By creating a project with a compose file containing a malicious include directive, such as `include: ['../../../../etc/passwd']`, an attacker can read sensitive files via the project file API. Technical details include: - API Endpoints: `POST /api/environments/{id}/projects` and `GET /api/environments/{id}/projects/{projectId}/file`. - Vulnerable Functions: `ProjectService.CreateProject()`, `ProjectService.GetProjectFileContent()`, and `ParseIncludes()`. This issue can lead to the disclosure of the `arcane.db` SQLite database, which contains password hashes and API keys for all users. This enables privilege escalation to an administrator role and potentially Remote Code Execution (RCE) on the host via the Docker control plane. **Recommendations** Update to version 1.19.4.

**Name of the Vulnerable Software and Affected Versions** Arcane versions prior to 1.19.2 **Description** The "PUT /api/environments/{id}/templates/variables" endpoint, used to write the system-wide `.env.global` file for variable substitution in project compose files, lacks an admin authorization check. Any authenticated non-admin user can use their bearer token or API key to overwrite global environment variables merged into every project deployment. By manipulating variables such as `REGISTRY`, `IMAGE`, `DATABASE URL`, or `SECRET KEY`, an attacker can redirect image pulls to malicious registries, leading to supply-chain remote code execution (RCE) on the Docker host, exfiltrate database credentials, or disrupt all projects. Additionally, the `UpdateGlobalVariables()` function does not properly sanitize newlines in keys, allowing arbitrary key injection into the `.env.global` file. **Recommendations** Update to version 1.19.2. As a temporary workaround, restrict access to the "PUT /api/environments/{id}/templates/variables" endpoint to authorized administrators only.

**Name of the Vulnerable Software and Affected Versions** pyLoad versions prior to 0.5.0b3.dev100 **Description** An authenticated attacker can perform Server-Side Request Forgery (SSRF) by supplying a URL to the 'parse urls' API endpoint that points to a server under their control. This server can respond with a 302 redirect to an internal or private IP address, bypassing the `is global host()` check performed on the initial URL. This occurs because the `HTTPRequest` class, used by the `get url()` function, has the `allow private ip` variable set to `True` by default, which causes the ` pre request callback()` function to skip the private IP validation during redirects. This issue can be exploited to access internal services on private networks, localhost services, or cloud metadata endpoints (such as AWS IMDSv1), potentially leaking IAM credentials, instance metadata, and secrets. **Recommendations** Update to version 0.5.0b3.dev100 or later.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.38.2 **Description** The public API role unassignment endpoint "/api/public/v1/roles/unassign" updates user documents in CouchDB but fails to invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache, which has a Time To Live (TTL) of 3600 seconds, users whose admin, builder, or app-level roles are revoked via the public API retain those privileges for up to one hour. This occurs due to an inconsistency where the `bulkUpdate()` function writes directly to the database without triggering the necessary cache invalidation, unlike the path used by the admin UI. **Recommendations** Update to version 3.38.2. As a temporary workaround, restrict access to the "/api/public/v1/roles/unassign" endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Arcane versions 1.18.1 and earlier **Description** An issue exists where the endpoint "GET /environments/{id}/volumes/{volumeName}/browse" accepts a `path` query parameter that is passed to a shell command (`sh -c "find … | while …"`) inside a helper container. The path sanitizer blocks directory traversal using `../` but fails to strip Bourne-shell metacharacters such as `$()` or backticks. Additionally, the use of `strconv.Quote` only escapes Go string metacharacters and not shell substitution sequences. This allows any authenticated user with access to a browseable volume to execute arbitrary commands inside the isolated helper container. The output of these commands is reflected back to the user within the HTTP 500 error response body. While the helper container is network-disabled and lacks privileged mode or Docker socket mounts, this flaw enables attackers to bypass API restrictions, such as symlink-target censoring and file size limits, and to probe the helper image and volume. Furthermore, the same insufficient sanitizer in the "DELETE /environments/{id}/volumes/{volumeName}/browse" endpoint allows an authenticated user to recursively delete all volume contents by providing `path=.` as input. **Recommendations** For versions 1.18.1 and earlier, update the software to a version where the path sanitizer is hardened to strip shell metacharacters and prevent command substitution. As a temporary workaround, restrict access to the "GET /environments/{id}/volumes/{volumeName}/browse" and "DELETE /environments/{id}/volumes/{volumeName}/browse" endpoints to trusted administrators only.

**Name of the Vulnerable Software and Affected Versions** Arcane versions prior to 1.19.0 **Description** The unauthenticated 'GET /api/app-images/logo' endpoint reflects a user-supplied `color` query parameter into the body of an SVG document using `strings.ReplaceAll` without proper escaping. This substitution occurs within a `<style>` element of the embedded `logo.svg`, allowing an attacker to close the style block and inject executable `<script>` content. Since the response is served as `image/svg+xml` and lacks Content-Security-Policy or `X-Content-Type-Options` headers, an attacker can trick a logged-in administrator into visiting a crafted URL. This executes attacker-controlled JavaScript within the application's origin, utilizing the victim's HttpOnly JWT cookie to fully compromise the admin account. This can lead to the creation of unauthorized admin accounts, access to secrets, and control over connected Docker hosts. **Recommendations** Update to version 1.19.0. As a temporary mitigation, restrict access to the 'GET /api/app-images/logo' endpoint. Implement the `X-Content-Type-Options: nosniff` header on all responses. Apply a `Content-Security-Policy` (CSP) to SVG image responses, such as `default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:`.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.38.1 **Description** An issue exists in the "POST /api/global/users/onboard" endpoint, which is protected by the `workspaceBuilderOrAdmin` middleware. This allows users with builder permissions to access the endpoint. In self-hosted instances where SMTP email is not configured, the endpoint bypasses the standard admin-restricted invite flow and uses the `bulkCreate` function to create users directly. Because the request body accepts arbitrary `admin` and `builder` role assignments, a builder-level user can create a new global admin account. The system then returns the generated password in the response, leading to full privilege escalation and platform compromise. **Recommendations** Update to version 3.38.1. As a temporary workaround, restrict access to the "POST /api/global/users/onboard" endpoint to only authorized administrators.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.38.1 **Description** The row action trigger endpoint "POST /api/tables/:sourceId/actions/:actionId/trigger" fails to validate if the user-supplied `rowId` is within the scope of the view's row filters. This allows a user with access to a filtered view to trigger row actions on any row in the underlying table, including those explicitly excluded by security filters. This occurs because the system discards the view context and fetches the row directly from the table using the `sdk.rows.find()` function, bypassing the enforcement of view query filters. This can lead to unauthorized data modification, information disclosure, or the execution of unauthorized actions via automations. **Recommendations** Update to version 3.38.1. As a temporary workaround, restrict access to the "POST /api/tables/:sourceId/actions/:actionId/trigger" endpoint to only highly trusted users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Arcane versions prior to 1.19.0 **Description** Arcane improperly exposes Git repository management endpoints to any authenticated user, allowing low-privileged accounts to modify repository configurations, exfiltrate stored Git credentials, access private repository contents, and tamper with GitOps deployments. The issue stems from the huma-based REST API failing to call the `checkAdmin(ctx)` helper function on eight of nine endpoints under '/api/customize/git-repositories' and '/api/git-repositories/sync'. While the authentication middleware verifies the user is logged in, it does not enforce the admin role for these specific handlers. An attacker with the default `user` role can use the `UpdateRepository` function to change a repository's URL to a host they control while preserving the encrypted credentials. By subsequently calling the '/test', '/branches', or '/files' endpoints, the system decrypts the legitimate Personal Access Token (PAT) or SSH key and transmits it to the attacker's host via HTTP Basic auth or SSH auth. This allows for the cleartext exfiltration of credentials, potential supply-chain compromise by swapping repository URLs to malicious forks, and denial of service by deleting production configurations. **Recommendations** Update to version 1.19.0. As a temporary workaround, restrict access to the '/api/customize/git-repositories' and '/api/git-repositories/sync' endpoints to trusted network ranges or disable them if not required.

**Name of the Vulnerable Software and Affected Versions** AVideo versions 29.0 and earlier **Description** A cross-site request forgery (CSRF) issue exists in the 2FA toggle functionality. The endpoint "plugin/LoginControl/set.json.php" accepts POST requests with the parameters `type=set2FA` and `value=false` to disable two-factor authentication for a session-authenticated user via the `LoginControl::setUser2FA()` function. The endpoint fails to implement necessary security checks, such as the `forbidIfIsUntrustedRequest()` call, `isTokenValid()` verification, X-CSRF-Token/SameSite enforcement, or a re-authentication step. Consequently, an attacker can host a malicious cross-origin page that, when visited by a logged-in user, automatically issues a POST request to disable the victim's 2FA, making the account susceptible to credential stuffing or phishing attacks. **Recommendations** Update to a version where the "plugin/LoginControl/set.json.php" endpoint implements the `forbidIfIsUntrustedRequest()` gate and requires re-authentication (such as a 2FA code or password prompt) when disabling 2FA. As a temporary workaround, restrict access to the "plugin/LoginControl/set.json.php" endpoint or disable the `LoginControl` plugin until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** WWBN AVideo versions 29.0 and earlier **Description** A shell-metacharacter injection exists in the YPTSocket notification branch within the `plugin/Live/on publish.php` file. The application constructs a command line for the `execAsync()` function using string concatenation and literal single quotes instead of using the `escapeshellarg()` function. This allows an attacker to close the quoted token by inserting a single quote into the `$users id`, `$m3u8`, or `$obj->liveTransmitionHistory id` variables, enabling the execution of arbitrary OS commands with the privileges of the web-server runtime user. The issue is reachable via a direct HTTP POST request to the endpoint "/plugin/Live/on publish.php". **Recommendations** Update to a version where `escapeshellarg()` is applied to all variables interpolated into the command string in `plugin/Live/on publish.php`. As a temporary mitigation, restrict access to the "/plugin/Live/on publish.php" endpoint to only allow requests from 127.0.0.1 and configured RTMP server IPs via `.htaccess` or nginx location rules.

**Name of the Vulnerable Software and Affected Versions** AVideo versions 29.0 and earlier **Description** A stored cross-site scripting issue exists in the Live plugin's "YouTube-style" view. The application renders the live transmission's stream key into an HTML class attribute using a raw echo without proper escaping. A user with `canStream` permissions can persist a malicious key containing an event handler via the 'plugin/Live/saveLive.php' endpoint. When any visitor, including anonymous users or administrators, opens the affected stream's live page, the attacker's JavaScript executes within the platform's origin. This can allow the attacker to steal session cookies, read DOM content, or perform unauthorized actions if the victim is an administrator. **Recommendations** Update AVideo to a version later than 29.0. As a temporary mitigation, restrict the `canStream` permission to trusted users only to prevent the persistence of malicious stream keys. Restrict access to the 'plugin/Live/saveLive.php' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.2 **Description** A missing authorization issue exists in the "DELETE /admin/api/content/tags/{tagId}" endpoint. This allows any authenticated user, including regular frontend users, to delete arbitrary tags by sending a DELETE request with a valid session cookie, which can lead to permanent data loss and disruption of FAQ organization. The vulnerable variable is `{tagId}`. **Recommendations** Update to version 4.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Flowise versions prior to 3.1.2 **Description** A mass assignment issue exists in the evaluation create and update processes. The server uses `Object.assign()` to copy the request body into the Evaluation entity without an explicit field allowlist, allowing a client to overwrite sensitive fields such as `workspaceId`, `id`, `createdDate`, and `updatedDate`. An authenticated user can exploit this by sending a request to the `PUT /api/v1/evaluations/<id>` endpoint with a modified `workspaceId` variable, effectively moving an evaluation to a different workspace. This results in a cross-workspace boundary violation and Insecure Direct Object Reference (IDOR), where data can be exposed to members of another workspace. **Recommendations** Update to version 3.1.2. As a temporary workaround, restrict access to the `PUT /api/v1/evaluations/<id>` endpoint to minimize the risk of unauthorized workspace transfers.

**Name of the Vulnerable Software and Affected Versions** Flowise versions prior to 3.1.2 **Description** A mass assignment issue exists in the CustomTemplate create and update processes. The application uses `Object.assign()` to copy the request body into a `CustomTemplate` entity without an explicit field allowlist, allowing a client to overwrite sensitive fields such as `workspaceId` and `id`. An authenticated attacker can exploit this by sending a request to the `PUT /api/v1/customtemplates/<id>` endpoint with a modified `workspaceId` variable, effectively moving a template to a different workspace. This results in a cross-workspace template takeover and Insecure Direct Object Reference (IDOR), where the attacker can transfer ownership of a template to another workspace whose UUID is known. **Recommendations** Update to version 3.1.2. As a temporary workaround, restrict access to the `PUT /api/v1/customtemplates/<id>` endpoint or monitor for requests containing the `workspaceId` or `id` variables in the request body.

**Name of the Vulnerable Software and Affected Versions** Flowise versions prior to 3.1.2 **Description** A mass assignment issue exists in the dataset create and update processes. The application uses `Object.assign()` to copy the request body into a `Dataset` entity without an explicit field allowlist, allowing a client to overwrite sensitive fields. Specifically, an authenticated user can manipulate the `workspaceId` and `id` variables via the `PUT /api/v1/datasets/<id>` endpoint. This allows an attacker to move a dataset from one workspace to another by specifying a different `workspaceId`, resulting in a cross-workspace dataset takeover and Insecure Direct Object Reference (IDOR). This occurs because the persistence layer saves the client-controlled values directly to the database, breaking workspace isolation. **Recommendations** Update to version 3.1.2. As a temporary workaround, restrict access to the `PUT /api/v1/datasets/<id>` endpoint or monitor for requests containing the `workspaceId` or `id` parameters in the request body.

**Name of the Vulnerable Software and Affected Versions** Flowise versions prior to 3.1.2 **Description** A mass assignment issue exists in the DatasetRow create and update processes. The application uses `Object.assign()` to copy the request body into the `DatasetRow` entity without an explicit field allowlist, allowing a client to overwrite sensitive fields such as `workspaceId` and `id`. This can lead to cross-workspace row takeover and Insecure Direct Object Reference (IDOR), where an authenticated user can move a dataset row to another workspace by specifying a different `workspaceId` in the request body. This exposes the row content to the destination workspace and removes access for the original workspace. The issue is located in the `packages/server/src/services/dataset/index.ts` file and affects the `PUT /api/v1/datasetrows/<id>` endpoint. **Recommendations** Update to version 3.1.2. As a temporary workaround, restrict access to the `PUT /api/v1/datasetrows/<id>` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Devise versions 5.0.3 and earlier **Description** When the `Timeoutable` module is enabled, the `FailureApp#redirect url` method returns the `request.referrer` (the HTTP Referer header) without validation for any non-GET request that results in a session timeout. Because the HTTP Referer header is attacker-controllable, an attacker hosting a page with an auto-submitting cross-origin form can cause a victim with an expired session to be redirected to an arbitrary external URL. This occurs because the non-GET timeout redirect path is unprotected, unlike the GET timeout path which uses the server-side `attempted path` and the `store location for` mechanism which utilizes `extract path from location` to strip external hosts. This can be used for phishing or malware delivery by redirecting users from a trusted domain to an attacker-controlled site, bypassing browser warnings. Rails' built-in open-redirect protection does not mitigate this issue as `Devise::FailureApp` is an `ActionController::Metal` app with isolated redirect configuration. **Recommendations** Update to version 5.0.4.