Sean Wright

**Name of the Vulnerable Software and Affected Versions** Harbor versions 1.10.3 and earlier, Harbor versions 2.x before 2.0.1 **Description** The issue allows unauthenticated API calls to reveal whether a resource exists via the HTTP status code, enabling resource enumeration. An attacker can make use of the Harbor API to make unauthenticated calls to the Harbor instance and work out which resources exist and which do not. This provides them with information such as existing projects, repositories, etc. The following API resources were found to be vulnerable to enumeration attacks: "/api/chartrepo/{repo}/prov" (POST), "/api/chartrepo/{repo}/charts" (GET, POST), "/api/chartrepo/{repo}/charts/{name}" (GET, DELETE), "/api/chartrepo/{repo}/charts/{name}/{version}" (GET, DELETE), "/api/labels?name={name}&scope=p" (GET), "/api/repositories?project id={id}" (GET), "/api/repositories/{repo name}/" (GET, PUT, DELETE), "/api/repositories/{repo name}/tags" (GET), "/api/repositories/{repo name}/tags/{tag}/manifest?version={version}" (GET), "/api/repositories/{repo name}/{tag}/labels" (GET), "/api/projects?project name={name}" (HEAD), "/api/projects/{project id}/summary" (GET), "/api/projects/{project id}/logs" (GET), "/api/projects/{project id}" (GET, PUT, DELETE), "/api/projects/{project id}/metadatas" (GET, POST), and "/api/projects/{project id}/metadatas/{metadata name}" (GET, PUT). **Recommendations** Update to version 1.10.3 or 2.0.1 to patch this issue immediately. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the vulnerable API endpoints in the affected Harbor instances until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Navigate CMS version 2.9 r1433 **Description** An issue in the forgot-password feature of Navigate CMS allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not found message when the provided username or email address does not match a user in the system. This can be used to enumerate users. **Recommendations** For Navigate CMS version 2.9 r1433, consider modifying the forgot-password feature to return a generic message instead of indicating whether the username or email address is associated with a user, thereby preventing user enumeration. As a temporary workaround, consider restricting access to the forgot-password feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Navigate CMS version 2.9 r1433 **Description** An issue was discovered that allows unauthorized users to reset passwords without a valid activation code. When no activation code is supplied during a password reset, the system permits the user to continue setting a password, which results in the password being set for the most recently created user in the system, i.e., the user with the highest user id. **Recommendations** For Navigate CMS version 2.9 r1433, as a temporary workaround, consider disabling the password reset functionality until a patch is available. Restrict access to the password reset module to minimize the risk of exploitation. Avoid using the password reset feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Navigate CMS version 2.9 r1433 **Description** An issue was discovered where sessions and associated information, such as CSRF tokens, are stored in cleartext files in the /private/sessions directory. This could allow an unauthenticated user to use a brute-force approach to attempt to identify existing sessions or view the contents of this file to discover details about a session. **Recommendations** For Navigate CMS version 2.9 r1433, consider restricting access to the /private/sessions directory to prevent unauthorized viewing of session information. As a temporary workaround, implement additional security measures to protect against brute-force attacks on session identification.

**Name of the Vulnerable Software and Affected Versions** Navigate CMS version 2.9 r1433 **Description** The issue is related to a stored XSS that is executed on the pages for viewing and editing users. This is present in both the `User` field and the `E-Mail` field. On the Edit user page, the XSS is triggered via the `E-Mail` field, while on the View user page, it is triggered via either the `User` field or the `E-Mail` field. **Recommendations** For Navigate CMS version 2.9 r1433, as a temporary workaround, consider disabling the editing and viewing of user profiles until a patch is available. Restrict access to the user management module to minimize the risk of exploitation. Avoid using the `User` and `E-Mail` fields in the affected pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sky Go Desktop application versions 1.0.19-1 through 1.0.23-1 **Description** The issue concerns the use of cleartext HTTP for several requests, making the submitted data susceptible to Man in The Middle (MiTM) attacks. An attacker could obtain sensitive information, such as the victim's Sky username, which is sent in some of these requests. **Recommendations** For Sky Go Desktop application versions 1.0.19-1 through 1.0.23-1, consider disabling the use of cleartext HTTP requests until a patch is available. Restrict access to sensitive information, such as the Sky username, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MBP853 (affected versions not specified) **Description** The issue concerns the Motorola MBP853 firmware's failure to properly validate server certificates, making it susceptible to a Man in The Middle (MiTM) attack. This could occur between the Motorola MBP853 camera and the servers it communicates with. In a specific instance, the device was found downloading what seemed to be a client certificate. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Link TL-WR840N version prior to 3.13.27 build 141120 **Description** A cross-site request forgery issue exists in the administration console, allowing remote attackers to hijack administrator authentication for requests that change router settings via a configuration file import. **Recommendations** For versions prior to 3.13.27 build 141120, update the firmware to version 3.13.27 build 141120 or later to resolve the issue. As a temporary workaround, consider restricting access to the administration console and avoiding the use of configuration file imports until the update is applied.