Realarcherl

Name of the Vulnerable Software and Affected Versions: Jellystat versions prior to 1.1.3 Description: Jellystat is a free and open source Statistics App for Jellyfin. In affected versions, Jellystat directly uses user input in the routes, which can lead to Path Traversal vulnerabilities. Although this functionality is only for administrators, the `DELETE` `files/:filename` command can be used to delete any file. This issue has been addressed in version 1.1.3. Recommendations: For versions prior to 1.1.3, update to version 1.1.3 to fix the Path Traversal vulnerability. As a temporary workaround, consider restricting access to the `DELETE` `files/:filename` command until the update is applied.

**Name of the Vulnerable Software and Affected Versions** path-sanitizer versions prior to 3.1.0 **Description** The path-sanitizer npm package has a path traversal vulnerability due to a filter bypass issue. This can be exploited using .=%5c, allowing an attacker to traverse the file system. Any CLI tool or library using this package can be vulnerable to path traversal. The issue is fixed in version 3.1.0. **Recommendations** For path-sanitizer versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `sanitize()` function until a patch is available. Avoid using the `.= %5c` sequence in paths to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mirotalk versions prior to commit 9de226 **Description** The issue is related to incorrect access control in the component app/src/server.js, allowing unauthenticated attackers without presenter privileges to eject users from a meeting arbitrarily. **Recommendations** For versions prior to commit 9de226, update to a version that includes commit 9de226 or later to resolve the issue. As a temporary workaround, consider restricting access to the meeting functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IDURAR (affected versions not specified) **Description** The issue exists in the corePublicRouter.js file of IDURAR, an open-source ERP CRM accounting invoicing software. A public endpoint is accessible to unauthenticated users, and user input is directly appended to the join statement without checks, allowing attackers to send URL-encoded malicious payloads. This enables directory structure escape to read system files by adding an encoded string at a subpath location. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Audiobookshelf versions prior to 2.13.0 **Description** Audiobookshelf is a self-hosted audiobook and podcast server where a non-admin user is not allowed to create libraries or access only the ones they have permission to. However, the `LibraryController` is missing the check for admin user, allowing a path traversal issue. This enables non-admin users to write to any directory in the system, which can be restricted to only admin permissions, making it a Role-Based Access Control (RBAC) issue. The issue has been addressed in release version 2.13.0. **Recommendations** For versions prior to 2.13.0, upgrade to version 2.13.0 to resolve the issue. As a temporary workaround, consider restricting access to the `LibraryController` to minimize the risk of exploitation. There are no known workarounds for this vulnerability other than upgrading to the fixed version.

**Name of the Vulnerable Software and Affected Versions** @jmondi/url-to-png versions prior to 2.1.2 **Description** The issue arises from the lack of sanitization of the `ImageId` input in the code, leading to a path traversal vulnerability. This allows an attacker to store an image in an arbitrary location that the server has permission to access. The vulnerability is different from traditional path traversal issues, as it enables storing images in any location. There are no known workarounds for this issue. **Recommendations** For versions prior to 2.1.2, upgrade to version 2.1.2 to address the issue. As a temporary workaround, consider sanitizing the `ImageId` input by removing special characters from the parameters, such as using the `slugify` function for the params. For example, modify the `imageId` assignment to `const imageId = dateString + "." + slugify(validData.url) + slugify(configToString(params));`. This will help prevent path traversal attacks until the official patch is applied.

**Name of the Vulnerable Software and Affected Versions** @jmondi/url-to-png versions prior to 2.1.1 **Description** The issue concerns the `ALLOW LIST` in the @jmondi/url-to-png package, which permits capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] by default. If hosted on a server, users could capture screenshots of other web services running locally, potentially disclosing internal web services. This has been addressed with the addition of a blocklist in version 2.1.1. **Recommendations** For versions prior to 2.1.1, upgrade to version 2.1.1 to resolve the issue. As a temporary workaround, consider restricting access to the `ALLOW LIST` to minimize the risk of exploitation. Avoid using the package to capture screenshots of internal web services until the issue is resolved. At the moment, there is no other information about additional mitigation measures.