Oscar Uribe

**Name of the Vulnerable Software and Affected Versions** X-VPN macOS website versions 77.0 through 77.5 **Description** A race condition and symlink manipulation in the quarantine and restore workflow allow a local attacker to achieve privileged file corruption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glp versions prior to 11.0.7 **Description** An unauthenticated user with write access to the knowledge base can store a Cross-Site Scripting (XSS) payload in a knowledge base item. XSS is a type of security flaw where malicious scripts are injected into trusted websites. **Recommendations** Update to version 11.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** Corteza version 2024.9.8 **Description** An issue exists in the Microsoft SQL Server (MSSQL) backend when filtering Compose records by the `meta` field, which allows for SQL injection. SQL injection is a type of flaw that enables an attacker to interfere with the queries that an application makes to its database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Helpy version 2.8.0 **Description** A stored cross-site scripting issue exists in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the `body` field of a knowledge base Doc. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Helpy version 2.8.0 **Description** A stored cross-site scripting issue exists in the post author display logic. A registered user can persist arbitrary HTML in the account name field, which is then rendered unescaped in public forum threads, the admin ticket view, and HTML notification emails sent to other users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Frappe version 16.10.0 **Description** An authenticated attacker can persist crafted values in multiple field types to trigger client-side script execution when another user opens the affected document in Desk. This occurs because vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without proper escaping. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Frappe version 16.10.10 **Description** An authenticated attacker can store a crafted tag value in ` user tags` to trigger JavaScript execution when a victim opens the list or report view where tags are rendered. This occurs because the renderer interpolates tag content into HTML attributes and element content without proper escaping. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iBoysoft NTFS for Mac version 8.0.0 **Description** iBoysoft NTFS for Mac contains a local privilege escalation issue in its privileged helper daemon, `ntfshelperd`. The daemon exposes an NSConnection service that operates with root privileges without implementing any authentication or authorization checks. This allows for potential unauthorized access and control over the system. **Recommendations** Update iBoysoft NTFS for Mac to a version with the fix. As a temporary workaround, consider disabling the `ntfshelperd` daemon until a patch is available.

**Name of the Vulnerable Software and Affected Versions** @fastify/middie versions prior to 9.2.0 **Description** A flaw exists in @fastify/middie that can lead to authentication or authorization bypass when path-scoped middleware is used, such as with `app.use('/secret', auth)`. This occurs when Fastify router normalization options are enabled, including options like `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and trailing-slash behavior. Specifically, specially crafted request paths may circumvent middleware checks while still reaching protected handlers. **Recommendations** Update @fastify/middie to version 9.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** BuhoCleaner version 1.15.2 **Description** BuhoCleaner contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root. This is achieved through insecure functions within the XPC service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nu Html Checker versions prior to commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd **Description** The Nu Html Checker (validator.nu) is susceptible to a restriction bypass that enables remote attackers to initiate arbitrary HTTP/HTTPS requests to internal resources, including services on localhost. The application employs hostname-based protections to prevent direct access to localhost and 127.0.0.1, but these safeguards can be circumvented through DNS rebinding techniques or by utilizing domains that resolve to loopback addresses. This allows an attacker to potentially access internal systems and data. **Recommendations** Update Nu Html Checker to a version after commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd.

**Name of the Vulnerable Software and Affected Versions** AirVPN Eddie version 2.24.6 **Description** The software contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** waveterm version 0.12.2 **Description** Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass. The issue allows for code execution by exploiting Electron Fuses. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BuhoNTFS version 1.3.2 **Description** BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions. The issue stems from vulnerabilities within the XPC service, enabling privilege escalation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MacForge version 1.2.0 Beta 1 **Description** The software contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Wulkano KAP version 3.6.0 Description: Improper Control of Generation of Code ('Code Injection') in Wulkano KAP on MacOS allows TCC Bypass. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CandidATS version 3.0.0 Beta **Description** The issue allows an authenticated user to inject SQL queries through specific API endpoints, including '/index.php?m=settings&a=show' via the `userID` parameter, '/index.php?m=candidates&a=show' via the `candidateID` parameter, '/index.php?m=joborders&a=show' via the `jobOrderID` parameter, and '/index.php?m=companies&a=show' via the `companyID` parameter. **Recommendations** As a temporary workaround, consider restricting access to the vulnerable API endpoints '/index.php?m=settings&a=show', '/index.php?m=candidates&a=show', '/index.php?m=joborders&a=show', and '/index.php?m=companies&a=show' until a patch is available. Avoid using the parameters `userID`, `candidateID`, `jobOrderID`, and `companyID` in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Proton version 0.2.0 **Description** The issue allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame, allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on, which allows the webpage to use NodeJs features. An attacker can leverage this to run OS commands. **Recommendations** For Proton version 0.2.0, consider disabling the 'nodeIntegration' configuration to prevent the webpage from using NodeJs features until a patch is available. Restrict access to markdown files that may contain malicious links to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Thinfinity VNC version 4.0.0.1 **Description** The issue allows an unprivileged remote attacker to obtain an `ID` that can be used to send websocket requests and achieve remote code execution (RCE) if they can trick a user into browsing a malicious site. This is due to a Cross-Origin Resource Sharing (CORS) vulnerability. **Recommendations** For Thinfinity VNC version 4.0.0.1, as a temporary workaround, consider restricting access to the websocket endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ThinVNC version 1.0b1 **Description** The issue allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. This can lead to code execution on the server by sending keyboard or mouse events to the server. **Recommendations** For ThinVNC version 1.0b1, as a temporary workaround, consider disabling access to the 'http://thin-vnc:8080/cmd?cmd=connect' endpoint until a patch is available. Restrict the ability to send keyboard or mouse events to the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.