Seth Kraft

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.5.38 **Description** An issue exists in the ShadowAttribute proposal creation workflow where the add action accepts user-controlled request data without removing the `id` field before saving the record. Since the underlying framework interprets a supplied primary key as an instruction to update an existing record, an authenticated user can provide the identifier of an existing ShadowAttribute to update it instead of creating a new proposal. This can lead to unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user is not permitted to alter. Depending on the deployment configuration and API responses, this may also expose or move proposal data across event contexts. **Recommendations** Update to version 2.5.38.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** The CSP report endpoint incorrectly allowed reports up to 1 MB before truncation, despite being intended to limit logged CSP reports to 1 KB. When this endpoint is reachable by untrusted clients, it can be used to generate excessive log volume, leading to log flooding or resource exhaustion. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Netgate pfSense CE version 2.8.0 Description: The issue arises from the "WebCfg - Diagnostics: Command" privilege, which improperly allows users to read arbitrary files on the system through a directory traversal attack targeting the `diag command.php` `dlPath`. This behavior is considered intended by the supplier for this privilege level, with system administrators informed through product documentation and UI. Recommendations: For Netgate pfSense CE version 2.8.0, users should upgrade to a newer version once patches are released by Netgate. Alternatively, they should apply recommended workarounds restricting access to diagnostic commands until an official fix is available. As a temporary workaround, consider disabling the `diag command.php` functionality or restricting access to the `dlPath` directory to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: ClickHouse version 25.7.1.557 Description: The issue allows low-privileged users to execute shell commands by querying existing Executable() tables created by higher-privileged users. There is no access control preventing low-privileged users from invoking Executable tables already present in the system. If an attacker can influence the contents of the script referenced by the Executable() engine through writable paths, they may execute controlled commands in the context of the ClickHouse server, leading to privilege escalation and unauthorized code execution. Recommendations: For ClickHouse version 25.7.1.557, consider restricting access to existing Executable() tables to prevent low-privileged users from invoking them, or remove the Executable() tables if they are not necessary. As a temporary workaround, consider restricting writable paths that could be used to influence the script referenced by the Executable() engine.

**Name of the Vulnerable Software and Affected Versions** Nagios Log Server versions 2024R1.3.1 and earlier **Description** A Cross Site Scripting vulnerability in Nagios Log Server allows a remote attacker to execute arbitrary code via a payload into the `Email` field. This issue can be exploited by injecting malicious code into the email field, potentially leading to unauthorized access or data breaches. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Nagios Log Server version 2024R1.3.1 and earlier, upgrade to version 2024R2 or 2024R1.3.2 to fix the issue. As a temporary workaround, consider restricting access to the email field to minimize the risk of exploitation. Avoid using the `Email` field in the affected version until the issue is resolved.