Qiaonpc

**Name of the Vulnerable Software and Affected Versions** Chartbrew versions 4.9.0 through 5.0.0 **Description** An authenticated user with project-editor permissions can store arbitrary HTML and JavaScript in the `ChartDatasetConfig.legend` field. This payload is saved in the database and injected into the tooltip DOM element through an unguarded `innerHTML` assignment in the `ChartTooltip.js` file. Consequently, any unauthenticated viewer of a public dashboard will trigger the execution of the JavaScript on page load without requiring any interaction. This is a Stored Cross-Site Scripting (XSS) issue, where malicious scripts are permanently stored on the target server and served to other users. **Recommendations** Update to version 5.0.1.

**Name of the Vulnerable Software and Affected Versions** FileRise versions prior to 3.12.0 **Description** FileRise is a self-hosted web-based file manager. The endpoint '/api/totp setup.php' can be accessed by a session that has only completed the password verification (state `pending login user`). If the target account has Time-based One-Time Password (TOTP) configured, the endpoint decrypts and returns the existing TOTP secret within a QR PNG image. An attacker with the victim's password can retrieve this secret, generate a valid one-time code, and submit it to the '/api/totp verify.php' endpoint to gain a fully authenticated session without the physical authenticator device. **Recommendations** Update to version 3.12.0.

**Name of the Vulnerable Software and Affected Versions** mistune (affected versions not specified) **Description** The Image directive plugin fails to properly validate the `:width:` and `:height:` options. The validation uses a regular expression that only checks if the value starts with a digit, rather than ensuring the entire string is a valid number. When a value is not a plain integer, it is inserted directly into a `style` attribute without escaping. This allows an attacker to inject arbitrary CSS properties by providing a value that begins with digits followed by malicious CSS. For example, using the `:width:` parameter, an attacker can inject properties such as `position:fixed`, `background-color`, and `z-index` to create a full-page phishing overlay or perform UI redressing attacks, effectively covering the entire browser viewport and concealing legitimate page content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mistune versions prior to 3.2.1 **Description** The `render toc ul()` function builds a table-of-contents tree from a list of tuples. The `id` value, used for the `href` attribute, and the `text` value, used as the link label, are inserted into `<a>` tags using a plain Python format string without HTML escaping. When heading IDs are derived from user-supplied text, an attacker can craft a heading that breaks out of the `href` attribute context to inject arbitrary HTML tags, such as `<script>` blocks, directly into the rendered table of contents. This occurs specifically within the `render toc ul()` function located in `src/mistune/toc.py`. **Recommendations** Update to version 3.2.1. As a temporary workaround, restrict the use of custom `heading id` callbacks that return raw user-supplied text as the ID.

**Name of the Vulnerable Software and Affected Versions** jotty·page versions prior to 1.22.0 **Description** An unauthenticated path traversal issue exists in the '/api/app-icons/[filename]' endpoint. The `filename` route parameter is joined into a filesystem path without proper traversal or boundary validation, which allows an attacker to read files located outside the 'data/uploads/app-icons/' directory. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the web root folder. **Recommendations** Update to version 1.22.0.

**Name of the Vulnerable Software and Affected Versions** mistune versions prior to 3.2.1 **Description** In the `HTMLRenderer.heading()` function within `src/mistune/renderers/html.py`, the `id` attribute of heading tags is constructed by directly concatenating the value into the HTML without sanitization. When the `add toc hook()` API is used with a custom `heading id` callback that returns raw heading text (a common practice for creating human-readable slug anchors), an attacker can inject a double-quote character to terminate the attribute and insert arbitrary HTML attributes, such as event handlers. This allows for the execution of malicious JavaScript when a user interacts with the heading. **Recommendations** Update to version 3.2.1 or later. As a temporary workaround, ensure that any custom callback passed to `add toc hook()` independently sanitizes or escapes the `heading id` value before returning it.

**Name of the Vulnerable Software and Affected Versions** Plainpad versions prior to 1.1.1 **Description** Plainpad allows a low-privilege authenticated user to escalate their privileges to administrator. This occurs because the endpoint "/api.php/v1/users/{id}" directly persists the `admin` attribute from user input. By submitting `admin=true` via a PUT request to this endpoint, a user can gain immediate access to administrator-only routes. **Recommendations** Update to version 1.1.1.

**Name of the Vulnerable Software and Affected Versions** Mistune (affected versions not specified) **Description** The math plugin in Mistune fails to sanitize user-supplied content when rendering inline math (`$...$`) and block math (`$$...$$`). The plugin concatenates raw input directly into the HTML output, ignoring the `escape=True` flag intended to ensure all user-controlled text is sanitized before reaching the DOM. This occurs within the `render inline math()` and `render block math()` functions located in `src/mistune/plugins/math.py`, which do not call the necessary escaping utilities or check the renderer's escape status. Consequently, an attacker can bypass security controls to execute Cross-Site Scripting (XSS) attacks, potentially allowing the exfiltration of session cookies, mutation of page content, or redirection of users. **Recommendations** As a temporary workaround, consider disabling the math plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** titra version 0.99.52 **Description** The `globalsettings` Meteor publication returns all global settings without performing administrative or role-based access checks. This allows any authenticated user to subscribe via DDP (Distributed Data Protocol, a real-time communication protocol used by Meteor) and retrieve sensitive configuration fields, including `google secret`, `openai apikey`, and `google clientid`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Saltcorn versions prior to 1.4.6 Saltcorn versions prior to 1.5.6 Saltcorn versions prior to 1.6.0-beta.5 **Description** Saltcorn is an extensible, open source, no-code database application builder. A SQL injection in the mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can result in full database exfiltration, including admin password hashes and configuration secrets, and may enable database modification or destruction depending on the backend. **Recommendations** Update to version 1.4.6 Update to version 1.5.6 Update to version 1.6.0-beta.5

Name of the Vulnerable Software and Affected Versions Genealogy versions prior to 5.9.1 Description The Genealogy PHP application contains a broken access control issue. An authenticated user can transfer ownership of any non-personal team to themselves, leading to complete takeover of other users’ team workspaces and unrestricted access to associated genealogy data. The vulnerable function is `TeamController::transferOwnership()`, which lacks proper authorization checks. This is triggered by a single POST request. Recommendations Update to version 5.9.1 or later.

Name of the Vulnerable Software and Affected Versions D-Tale versions prior to 3.22.0 Description D-Tale, comprising a Flask back-end and a React front-end for viewing and analyzing Pandas data structures, had a remote code execution issue. Hosting D-Tale publicly with a redis or shelf storage layer could allow attackers to execute malicious code on the server. Recommendations Upgrade to version 3.22.0.

Name of the Vulnerable Software and Affected Versions Scoold versions prior to 1.66.1 Description Scoold, a Q&A and knowledge sharing platform, has an authorization issue in feedback deletion. Any authenticated user with low privileges can delete feedback posts created by other users by submitting the post's ID to the API endpoint ''/feedback/{id}/delete''. The system verifies user authentication but does not confirm if the user has permission to delete the feedback item before proceeding with the deletion. The `id` variable in the API endpoint is used to identify the feedback post to be deleted. Recommendations Update Scoold to version 1.66.1 or later.

Name of the Vulnerable Software and Affected Versions Cr*nMaster versions prior to 2.2.0 Description Cr*nMaster is a Cronjob management UI. Prior to version 2.2.0, an authentication bypass exists in the middleware. When the middleware’s session-validation fetch fails, unauthenticated requests with an invalid session cookie are incorrectly treated as authenticated. This can lead to unauthorized access to protected pages and the unauthorized execution of privileged Next.js Server Actions. Recommendations Update to version 2.2.0 or later.

PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0.

**Name of the Vulnerable Software and Affected Versions** Fireshare versions prior to 1.5.2 **Description** Fireshare facilitates self-hosted media and link sharing. Version 1.5.1 contains an authenticated path traversal vulnerability in the chunked upload endpoint. The `checkSum` multipart field is used directly in filesystem path construction without sanitization or containment checks. This allows an attacker to write arbitrary files to attacker-chosen paths writable by the Fireshare process, such as the `/tmp` container, potentially enabling follow-on attacks depending on deployment. This compromises the integrity of the system. **Recommendations** Update to version 1.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Ech0 versions prior to 4.2.0 **Description** The `GET /api/allusers` API endpoint is publicly accessible, allowing remote unauthenticated user enumeration and exposure of user profile metadata. The route is registered under public routes in `internal/router/user.go:17` and is called using `appRouterGroup.PublicRouterGroup.GET("/allusers", h.UserHandler.GetAllUsers())`. Despite API documentation indicating an authentication requirement (`@Security ApiKeyAuth`), the endpoint does not enforce it. This allows unauthorized access to user data, potentially enabling account reconnaissance and targeted credential attacks. **Recommendations** Update Ech0 to version 4.2.0 or later.