Ormzro

**Name of the Vulnerable Software and Affected Versions** FacturaScripts versions prior to 2025.92 **Description** A stored Cross-Site Scripting (XSS) issue exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal within an invoice, order, or delivery note. The issue occurs because the `referencia` variable is injected into an HTML `onclick` attribute without proper JavaScript context escaping. When the modal HTML is inserted into the DOM via `innerHTML`, the browser decodes the characters, allowing the attacker to break out of the JavaScript string literal and execute code. This can lead to privilege escalation, where a low-privilege user executes scripts in an administrator's session to perform unauthorized actions, such as creating new admin users via the `/EditUser` endpoint or exfiltrating business data. **Recommendations** Update to a version later than 2025.92. As a temporary workaround, restrict access to the warehouse module to trusted users only to prevent the creation of malicious product references. Avoid using the `referencia` field for products created by untrusted users until the system is updated.

Name of the Vulnerable Software and Affected Versions Open Source Point of Sale versions prior to 3.4.3 Description Open Source Point of Sale, a web-based point-of-sale application written in PHP using the CodeIgniter framework, contains a Stored Cross-Site Scripting (XSS) issue in the Daily Sales management table. The `customer name` column is configured with `escape: false` in the bootstrap-table column configuration, which renders customer names as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's `first name` or `last name` field. This injected code executes in the browser of any user viewing the Daily Sales page. Recommendations Update to version 3.4.3 or later.

Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0.

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions prior to 2.10.2 Description OpenSTAManager, prior to version 2.10.2, contains an SQL Injection vulnerability in the `confronta righe.php` files across different modules. The `righe` parameter, received via the `$ GET['righe']` request, is directly concatenated into an SQL query without proper sanitization, parameterization, or validation. This allows an authenticated attacker to inject arbitrary SQL statements, potentially extracting sensitive data such as user credentials, customer information, invoice data, and other stored data. The vulnerability exists in six files: `modules/fatture/modals/confronta righe.php`, `modules/interventi/modals/confronta righe.php`, `modules/preventivi/modals/confronta righe.php`, `modules/ordini/modals/confronta righe.php`, `modules/ddt/modals/confronta righe.php`, and `modules/contratti/modals/confronta righe.php`. Exploitation involves crafting malicious HTTP GET requests to the `confronta righe.php` endpoint, manipulating the `righe` parameter to execute SQL queries. Successful exploitation could lead to confidentiality, integrity, and availability compromise of the database. Recommendations Apply parameterized statements with `prepare()` to the `righe` parameter in all six affected files: `modules/fatture/modals/confronta righe.php`, `modules/interventi/modals/confronta righe.php`, `modules/preventivi/modals/confronta righe.php`, `modules/ordini/modals/confronta righe.php`, `modules/ddt/modals/confronta righe.php`, and `modules/contratti/modals/confronta righe.php`.

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions prior to 2.10.2 Description The OpenSTAManager software contains a flaw in the Aggiornamenti (Updates) module. This module includes a database conflict resolution feature that accepts a JSON array of SQL statements via POST requests to the `op=risolvi-conflitti-database` endpoint and executes them directly against the database without validation or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements, including commands like CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, and SELECT INTO OUTFILE. Foreign key checks are disabled before execution, reducing database integrity protections. Recommendations Update OpenSTAManager to version 2.10.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenSTAManager versions prior to 2.10.2 **Description** The `oauth2.php` file in OpenSTAManager is an unauthenticated endpoint. It loads a record from the `zz oauth2` table using the attacker-controlled GET parameter `state`, and during the OAuth2 configuration flow calls `unserialize()` on the `access token` field without any class restriction. An attacker who can write to the `zz oauth2` table can insert a malicious serialized PHP object that, upon deserialization, executes arbitrary commands on the server as the `www-data` user. The HTTP response is 500, but the command has already executed during error cleanup. This vulnerability, combined with an arbitrary SQL injection in the Aggiornamenti module, allows for unauthenticated remote code execution (RCE). The Laravel/RCE22 gadget chain is used to achieve this. **Recommendations** Versions prior to 2.10.2: Restrict the use of `unserialize()` by specifying `allowed classes` to `AccessToken::class` in the `checkTokens()` and `getAccessToken()` functions within `src/Models/OAuth2.php`. Alternatively, replace `serialize()`/`unserialize()` with `json encode()`/`json decode()` for storing OAuth2 tokens. As another option, authenticate the `oauth2.php` endpoint or validate the `state` parameter.

**Name of the Vulnerable Software and Affected Versions** OpenSTAManager versions prior to 2.10.2 **Description** OpenSTAManager is vulnerable to Time-Based Blind SQL Injection through the `options[stato]` GET parameter in multiple AJAX select handlers. The user-supplied value from `options[stato]` is directly concatenated into SQL WHERE clauses without sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, and financial records. The affected endpoints are: `/ajax select.php?op=preventivi`, `/ajax select.php?op=ordini-cliente`, and `/ajax select.php?op=contratti`. The vulnerable variable is `options[stato]`. The issue stems from insufficient sanitization of user input by HTMLPurifier, which does not strip SQL keywords or operators. An attacker can exploit this to extract data, potentially compromising confidentiality, integrity, and availability. **Recommendations** Versions prior to 2.10.2 should implement an allowlist validation for the `options[stato]` parameter, ensuring only permitted column names are used. Alternatively, use regex validation to strictly control the format of the input. As a supplementary measure, wrap the column name in backticks to treat it as an identifier. Audit all usages of `$superselect` across the codebase and validate any value used as part of a SQL expression.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.7 **Description** WeGIA is a web manager for charitable institutions. Versions prior to 3.6.7 contain a flaw in the `html/socio/sistema/deletar tag.php` file. This file utilizes the `extract($ REQUEST)` function on line 14, and the `$id tag` variable is directly concatenated into SQL queries on lines 16-17 without employing prepared statements or sanitization. This can lead to SQL injection. **Recommendations** Update to WeGIA version 3.6.7 or later.

**Name of the Vulnerable Software and Affected Versions** GoDoxy versions prior to 0.27.5 **Description** GoDoxy, a reverse proxy and container orchestrator, contains a path traversal flaw in the file content API endpoint at `/api/v1/file/content`. The `filename` query parameter is directly used in constructing a file path without proper sanitization or validation, beyond a check for non-empty input. This allows an authenticated attacker to use `../` sequences to access files outside the intended `config/` directory, potentially including sensitive data like TLS private keys and OAuth refresh tokens. The `filename` parameter is passed to the `path.Join()` function with `common.ConfigBasePath` set to "config", creating a relative path. The vulnerability exists in the `internal/api/v1/file/get.go` file, specifically within the `GetPath()` function. The vulnerability affects both reading and writing files via the `/api/v1/file/content` endpoint. **Recommendations** Versions prior to 0.27.5 should be updated to version 0.27.5 or later. Implement validation to ensure the resolved file path remains within the expected base directory.

**Name of the Vulnerable Software and Affected Versions** Open Source Point of Sale (affected versions not specified) **Description** The application is a web-based point-of-sale system developed in PHP using the CodeIgniter framework. It contains a SQL Injection flaw within the Items search functionality. Specifically, when the custom attribute search feature is enabled, input from the `search` GET parameter is directly incorporated into a HAVING clause without proper sanitization or parameterization. This allows an authenticated attacker with item search permissions to execute arbitrary SQL queries. The API endpoint involved is the item search functionality, accepting the `search` parameter. The vulnerable parameter is `search`. A patch was not available at the time of publication. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plunk versions prior to 0.7.1 **Description** Plunk is an email platform built on AWS SES. The image upload endpoint, ''/upload'', accepted SVG files. Browsers process SVG files as active documents, allowing embedded JavaScript to execute. This creates a stored cross-site scripting (XSS) issue. The `upload` function processes the uploaded files. **Recommendations** Update to version 0.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** Homarr versions prior to 1.54.0 **Description** An unauthenticated Server-Side Request Forgery (SSRF) exists in Homarr, allowing a remote attacker to force the server to perform arbitrary outbound HTTP requests. This can be used to access internal networks from the Homarr host or container network. The vulnerability is present in versions before 1.54.0. SSRF is a web security flaw that allows an attacker to cause the server to make HTTP requests to an arbitrary domain of the attacker’s choosing. **Recommendations** Update to version 1.54.0 or later.