Smiotani-Aeyesec

**Name of the Vulnerable Software and Affected Versions** CoreShop versions 5.0.1 through 5.1.0-beta.1 **Description** The GitHub Actions workflow located at `.github/workflows/static.yml` uses the `pull request target` trigger and checks out unverified code from the pull request head using the variable `ref: ${{ github.event.pull request.head.ref }}`. The workflow then executes the `bin/console` script from this untrusted checkout. This configuration allows an external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner by submitting a malicious Pull Request, a scenario known as a Pwn Request. Because the process runs in the context of the base repository, the runner has access to repository secrets, which could be exfiltrated by an attacker. **Recommendations** For versions 5.0.1 through 5.1.0-beta.1, avoid checking out untrusted PR code (`head.ref`) when using `pull request target` if the code is to be built or executed. As a mitigation, implement a separated architecture using the `workflow run` event: use the `pull request` event to run builds and tests in an unprivileged sandbox and upload artifacts, then use the `workflow run` event to download those artifacts and perform actions requiring secrets.

**Name of the Vulnerable Software and Affected Versions** Postiz versions prior to commit da44801 **Description** A Pwn Request issue in the Build and Publish PR Docker Image workflow located in '.github/workflows/pr-docker-build.yml' allows unauthenticated users to execute arbitrary code during the Docker build process. This occurs when a Pull Request is opened from a fork containing a maliciously modified `Dockerfile.dev`, which can lead to the exfiltration of a highly privileged `GITHUB TOKEN` with write-all permissions. **Recommendations** Update to the version containing commit da44801.