Snailsploit

**Name of the Vulnerable Software and Affected Versions** AVideo versions 29.0 and earlier **Description** An issue exists in the open source video platform where the endpoint "objects/mention.json.php" lacks a `User::loginCheck()` or admin gate. The endpoint only implements an entry guard using `preg match('/^@/', $ REQUEST['term'])` and a hard-coded `rowCount=10`. This allows unauthenticated users to perform user enumeration by manipulating the `term` variable. **Recommendations** Update AVideo to a version later than 29.0. As a temporary workaround, restrict access to the "objects/mention.json.php" endpoint to minimize the risk of user enumeration.

**Name of the Vulnerable Software and Affected Versions** WWBN AVideo versions 29.0 and earlier **Description** Certain components, including `EpgParser.php` and `plugin/AI/receiveAsync.json.php`, fail to utilize the `$resolvedIP` out-parameter of the `isSSRFSafeURL()` function for DNS pinning via `CURLOPT RESOLVE`. This oversight creates a Time-of-Check to Time-of-Use (TOCTOU) condition, which allows for DNS rebinding attacks. DNS rebinding is a technique used to bypass security restrictions by changing the IP address associated with a domain name between the time the application validates the address and the time it actually accesses the resource. **Recommendations** Update to a version where `EpgParser.php` and `plugin/AI/receiveAsync.json.php` are patched to use redirect-safe methods or correctly implement DNS pinning using the `$resolvedIP` parameter with `CURLOPT RESOLVE`.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 29.0 **Description** Two endpoints, 'plugin/AI/receiveAsync.json.php' and 'objects/EpgParser.php', use the `isSSRFSafeURL()` function to validate user-supplied URLs but then fetch them using `file get contents()` without disabling automatic redirect following. This allows an attacker to provide a URL that redirects to an internal or cloud-metadata address (such as 'http://169.254.169.254/latest/meta-data/'), bypassing SSRF protections because only the initial URL is validated. This can lead to the exfiltration of IAM credentials, instance identity, or access to internal services and port scanning. Additionally, several callers of `isSSRFSafeURL()` discard the `$resolvedIP` parameter intended for DNS pinning, making them susceptible to DNS rebinding TOCTOU (Time-of-Check to Time-of-Use) attacks. This occurs when a domain's DNS record changes between the time of validation and the time of the actual request. Affected callers include: - 'objects/aVideoEncoderReceiveImage.json.php' - 'objects/aVideoEncoder.json.php' - 'plugin/BulkEmbed/save.json.php' - 'plugin/AI/receiveAsync.json.php' - 'objects/EpgParser.php' - 'plugin/Scheduler/Scheduler.php' **Recommendations** Update AVideo to a version later than 29.0. As a temporary workaround, restrict access to the 'plugin/AI/receiveAsync.json.php' and 'objects/EpgParser.php' endpoints to minimize the risk of redirect-based SSRF.

**Name of the Vulnerable Software and Affected Versions** DDEV versions prior to 1.25.2 **Description** DDEV is an open-source tool for running local web development environments for PHP and Node.js. The software performs unsanitized extraction of archives from remote sources without path validation within the `Untar()` and `Unzip()` functions located in `pkg/archive/archive.go`. **Recommendations** Update to version 1.25.2.

**Name of the Vulnerable Software and Affected Versions** CairoSVG versions prior to 2.9.0 **Description** CairoSVG is an SVG converter based on Cairo, a 2D graphics library. A denial of service can occur due to recursive `<use>` element amplification within the `cairosvg/defs.py` file, specifically in the `use()` function. This amplification leads to CPU exhaustion even from a small input file. A 1,411-byte SVG payload can pin the CPU at 100% indefinitely. The issue arises from the recursive processing of `<use>` elements without depth or count limits. The amplification factor is O(10^N) rendering calls from O(N) input. **Recommendations** Update CairoSVG to version 2.9.0 or later. As a temporary workaround, consider limiting the recursion depth within the `use()` function to prevent excessive CPU usage.