Richighimi

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 1.7.46 **Description** A low privilege user account with page edit privilege can read any server files using Twig Syntax, including Grav user account files - `/grav/user/accounts/*.yaml`, which stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. A low privileged user may also perform a full account takeover of other registered users including Administrators. **Recommendations** For versions prior to 1.7.46, update to version 1.7.46 to resolve the issue. As a temporary workaround, consider restricting the use of Twig Syntax for low-privileged users until the patch is applied. Restrict access to the `/grav/user/accounts/*.yaml` files to minimize the risk of exploitation. Avoid using the `read file` function in Twig templates until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 1.7.45 **Description** A file upload path traversal vulnerability has been identified in Grav, an open-source, flat-file content management system. This vulnerability enables attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. It poses severe risks, including the ability to inject arbitrary code on the server, undermine the integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. **Recommendations** For Grav versions prior to 1.7.45, upgrade to the patched version 1.7.45 to mitigate the issue. As a temporary workaround, consider restricting access to the `checkFileMetadata()` function in the `MediaUploadTrait.php` file until a patch is available. Additionally, restrict the upload of files with sensitive extensions, such as .json, .zip, and .css, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Docassemble versions prior to 1.4.97 **Description** The issue allows a user to type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The HTML can also contain `<script>` tags, allowing JavaScript to execute on the page. **Recommendations** For versions prior to 1.4.97, update to version 1.4.97 of the master branch to resolve the issue. If upgrading is not possible, manually apply the changes of the specified commit and restart the server.

**Name of the Vulnerable Software and Affected Versions** Docassemble versions prior to 1.4.97 **Description** The issue allows an attacker to create a URL that acts as an open redirect. This can potentially be used to redirect users to malicious websites. **Recommendations** For versions prior to 1.4.97, update to version 1.4.97 or later to resolve the issue. As a temporary workaround, manually apply the changes of the patch and restart the server.

**Name of the Vulnerable Software and Affected Versions** Docassemble versions 1.4.53 through 1.4.96 **Description** The issue allows attackers to gain unauthorized access to information on the system through URL manipulation. It is an unauthenticated path traversal flaw that exposes sensitive files and secrets, leading to privilege escalation and template injection, enabling remote code execution. The vulnerability affects Docassemble, an expert system for guided interviews and document assembly. **Recommendations** For versions 1.4.53 through 1.4.96, update to version 1.4.97 of the master branch to resolve the issue. If upgrading is not possible, manually apply the changes of the patch and restart the server. As a temporary workaround, consider restricting access to sensitive files and secrets to minimize the risk of exploitation.