Rex50527

**Name of the Vulnerable Software and Affected Versions** Actual versions prior to 26.4.0 **Description** Authenticated users, including those with the `BASIC` role, can escalate their privileges to `ADMIN` on servers that migrated from password authentication to OpenID Connect. This is possible through an exploit chain involving three weaknesses. First, the endpoint '/account/change-password' lacks authorization checks, allowing any session to overwrite the password hash. Second, the password `auth` row is not removed during migration, leaving an orphaned target. Third, the login endpoint accepts a client-supplied `loginMethod` variable, which can be used to bypass the server's active authentication configuration. By chaining these, an attacker can set a known password and authenticate as the anonymous admin account created during multiuser migration. **Recommendations** Update to version 26.4.0. As a temporary workaround, administrators who have fully migrated to OpenID and do not require password authentication can remove the orphaned row by executing: DELETE FROM auth WHERE method = 'password';

**Name of the Vulnerable Software and Affected Versions** Anchorr versions 1.4.1 and below **Description** Anchorr is a Discord bot used for requesting movies and TV shows and receiving notifications when items are added to a media server. A stored cross-site scripting (XSS) issue exists in the Jellyseerr user selector. This allows any account holder to execute arbitrary JavaScript in the Anchorr administrator's browser session. The injected script targets the `/api/config` API endpoint, which returns the full application configuration in plaintext. Successful exploitation enables an attacker to forge a valid Anchorr session token, gaining full administrative access to the dashboard without knowing the administrator's password. The response also reveals API keys and tokens for integrated services, potentially leading to account takeover of the Jellyfin media server (via `JELLYFIN API KEY`), the Jellyseerr request manager (via `JELLYSEERR API KEY`), and the Discord bot (via `DISCORD TOKEN`). **Recommendations** Anchorr versions 1.4.1 and below should be updated to version 1.4.2 or later.