Sivanesh Ashok

**Name of the Vulnerable Software and Affected Versions** Looker versions prior to 24.12.108 Looker versions prior to 24.18.200 Looker versions prior to 25.0.78 Looker versions prior to 25.6.65 Looker versions prior to 25.8.47 Looker versions prior to 25.12.10 Looker versions prior to 25.14 **Description** A Looker user with a Developer role could potentially cause Looker to execute a malicious command. This is due to insecure processing of Teradata driver parameters. Both Looker-hosted and Self-hosted instances were found to be affected. The issue has been mitigated for Looker-hosted instances, requiring no user action. The issue involves the processing of parameters within the Teradata driver, potentially allowing for command execution. **Recommendations** Upgrade to Looker version 24.12.108 or later. Upgrade to Looker version 24.18.200 or later. Upgrade to Looker version 25.0.78 or later. Upgrade to Looker version 25.6.65 or later. Upgrade to Looker version 25.8.47 or later. Upgrade to Looker version 25.12.10 or later. Upgrade to Looker version 25.14 or later.

**Name of the Vulnerable Software and Affected Versions** Looker versions prior to 24.18.201 Looker versions prior to 25.0.79 Looker versions prior to 25.6.66 Looker versions prior to 25.12.7 Looker versions prior to 25.16.0 Looker versions prior to 25.18.0 Looker versions prior to 25.20.0 **Description** An attacker with viewer permissions in Looker could create a malicious URL. When opened by a Looker administrator, this URL would execute an attacker-supplied script. Exploitation requires at least one Looker extension to be installed. This issue affects both Looker-hosted and self-hosted instances. The issue has been mitigated for Looker-hosted instances, requiring no user action. **Recommendations** Upgrade self-hosted instances to version 24.18.201 or later. Upgrade self-hosted instances to version 25.0.79 or later. Upgrade self-hosted instances to version 25.6.66 or later. Upgrade self-hosted instances to version 25.12.7 or later. Upgrade self-hosted instances to version 25.16.0 or later. Upgrade self-hosted instances to version 25.18.0 or later. Upgrade self-hosted instances to version 25.20.0 or later.

**Name of the Vulnerable Software and Affected Versions** Looker versions prior to 24.12.100 Looker versions prior to 24.18.193 Looker versions prior to 25.0.69 Looker versions prior to 25.6.57 Looker versions prior to 25.8.39 Looker versions prior to 25.10.22 Looker versions prior to 25.12.0 **Description** An attacker could potentially take over a Looker account in instances configured with OIDC authentication. This is due to an issue with email address string normalization, specifically a punycode homograph attack. The issue affects both Looker-hosted and self-hosted instances. The vulnerability has been mitigated for Looker-hosted instances. **Recommendations** Upgrade self-hosted instances to version 24.12.100 or later. Upgrade self-hosted instances to version 24.18.193 or later. Upgrade self-hosted instances to version 25.0.69 or later. Upgrade self-hosted instances to version 25.6.57 or later. Upgrade self-hosted instances to version 25.8.39 or later. Upgrade self-hosted instances to version 25.10.22 or later. Upgrade self-hosted instances to version 25.12.0 or later.

Name of the Vulnerable Software and Affected Versions: Bolt CMS versions 3.7.0 and earlier Description: The issue allows an authenticated user to achieve remote code execution. This is done by injecting arbitrary PHP code into the `displayname` field of the user profile, which is rendered unsanitized in backend templates. The attacker can list and rename cached session files via the "/async/browse/cache/.sessions" and "/async/folder/rename" endpoints. By renaming a .session file to a path under the publicly accessible "/files/" directory with a .php extension, the attacker can turn the injected code into an executable web shell. The attacker then triggers the payload via a crafted HTTP GET request to the rogue file. Recommendations: For Bolt CMS versions 3.7.0 and earlier, consider updating to a version that is still supported, as Bolt 3 reached end-of-life after 31 December 2021. As a temporary workaround, consider restricting access to the "/async/browse/cache/.sessions" and "/async/folder/rename" endpoints to minimize the risk of exploitation. Avoid using the `displayname` field in user profiles until the issue is resolved. Restrict access to the "/files/" directory to prevent execution of malicious PHP code.

**Name of the Vulnerable Software and Affected Versions** October CMS versions 1.0.319 through 1.0.465 RainLab.Blog plugin versions prior to 1.4.1 **Description** A user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This issue has been fixed by restricting the ability to store JS in markdown to only users that have been explicitly granted the `backend.allow unsafe markdown` permission. **Recommendations** For October CMS versions 1.0.319 through 1.0.465, update to version 1.0.466 or later. For RainLab.Blog plugin versions prior to 1.4.1, update to version 1.4.1 or later. As a temporary workaround, consider applying the manual patches to your installation if unable to upgrade to the fixed versions.

**Name of the Vulnerable Software and Affected Versions** OctoberCMS versions 1.0.319 through 1.0.465 **Description** The issue allows users with the ability to modify data that could be exported as a CSV file from the `ImportExportController` to potentially introduce a CSV injection, causing the generated CSV export file to be malicious. This requires attackers to find a vulnerability in the victim's spreadsheet software, control data that would be exported, and convince the victim to export and run the data in vulnerable software while bypassing sanity checks. **Recommendations** For OctoberCMS versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround, apply the patches from https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a and https://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484 to your installation manually if unable to upgrade to Build 466.

**Name of the Vulnerable Software and Affected Versions** OctoberCMS versions 1.0.319 through 1.0.465 **Description** A user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file, which could result in a reflected XSS attack on the user in question. **Recommendations** For versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround, apply the patch from https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c to your installation manually if unable to upgrade to Build 466.

**Name of the Vulnerable Software and Affected Versions** OctoberCMS versions 1.0.319 through 1.0.465 **Description** An attacker can exploit this issue to upload various file types, including jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, and xml files, to any directory of an October CMS server. The issue is only exploitable by an authenticated backend user with the `cms.manage assets` permission. **Recommendations** For versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround, consider applying the patch from https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8 to your installation manually if unable to upgrade to Build 466.

**Name of the Vulnerable Software and Affected Versions** OctoberCMS versions 1.0.319 through 1.0.465 **Description** An attacker can exploit this issue to delete arbitrary local files of an October CMS server. The issue is only exploitable by an authenticated backend user with the `cms.manage assets` permission. **Recommendations** For versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround, consider applying the patch from https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc to your installation manually if unable to upgrade to Build 466.

**Name of the Vulnerable Software and Affected Versions** OctoberCMS versions 1.0.319 through 1.0.465 **Description** An attacker can exploit this issue to read local files of an October CMS server. The issue is only exploitable by an authenticated backend user with the `cms.manage assets` permission. **Recommendations** For versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround for versions that cannot be updated to Build 466, apply the patch from https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc to your installation manually.