Stefan-Schiller-Sonarsource

**Name of the Vulnerable Software and Affected Versions** Overleaf Community Edition and Server Pro versions prior to 5.0.7 Overleaf Community Edition and Server Pro versions 4.x prior to 4.2.7 **Description** Overleaf is a web-based collaborative LaTeX editor. The issue allows an arbitrary language parameter in client spelling requests to be passed to the `aspell` executable running on the server, causing `aspell` to attempt to load a dictionary file with an arbitrary filename. File access is limited to the scope of the Overleaf server. **Recommendations** For versions prior to 5.0.7, upgrade to version 5.0.7 or later using the Overleaf toolkit `bin/upgrade` command. For versions 4.x prior to 4.2.7, upgrade to version 4.2.7 or later using the Overleaf toolkit `bin/upgrade` command. As a temporary workaround for users unable to upgrade, block POST requests to "/spelling/check" via a Web Application Firewall to prevent access to the vulnerable spell check feature.

**Name of the Vulnerable Software and Affected Versions** Overleaf Server Pro versions prior to 2024-07-17 Overleaf Server Pro using legacy docker-compose.yml versions prior to 2024-08-28 **Description** Overleaf is a web-based collaborative LaTeX editor. When installing Server Pro using the Overleaf Toolkit from before 2024-07-17 or legacy docker-compose.yml from before 2024-08-28, the configuration for LaTeX compiles was insecure by default. This required the administrator to enable the security features via a configuration setting (`SIBLING CONTAINERS ENABLED` in Toolkit, `SANDBOXED COMPILES` in legacy docker-compose/custom deployments). If these security features are not enabled, users have access to the `sharelatex` container resources (filesystem, network, environment variables) when running compiles, leading to multiple file access vulnerabilities, either directly or via symlinks created during compiles. **Recommendations** For existing installations using the previous default setting, migrate to using sibling containers. Set `SIBLING CONTAINERS ENABLED=true` in `config/overleaf.rc` as a mitigation. In legacy docker-compose/custom deployments, use `SANDBOXED COMPILES=true`.

**Name of the Vulnerable Software and Affected Versions** OpenAPI Generator versions prior to 7.6.0 **Description** The issue is related to incorrect restriction of the path name to a directory with limited access. Exploitation of this issue may allow a remote attacker to bypass security restrictions and gain read, modify, or delete access to data using the `outputFolder` option. This can lead to reading and deleting files and folders from an arbitrary, writable directory. **Recommendations** For versions prior to 7.6.0, update to version 7.6.0 or later, which removes the usage of the `outputFolder` option, thus fixing the issue. As a temporary workaround, consider restricting access to the `outputFolder` option to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefly III versions prior to 6.1.1 **Description** The issue allows for HTML injection in webhooks. It is related to a Client-Side Path Traversal (CSPT) vulnerability, which can be used to control data that was assumed to be uncontrollable. This occurs when bypassing built-in sanitization. **Recommendations** For versions prior to 6.1.1, update to version 6.1.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of webhooks until a patch is applied. Avoid using potentially vulnerable webhooks in the affected versions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Squidex versions (affected versions not specified) **Description** The issue concerns an arbitrary file write vulnerability in the backup restore feature of Squidex, allowing an authenticated attacker with the `squidex.admin.restore` permission to gain remote code execution (RCE). This occurs because the `BackupAssets.ReadAssetAsync` method does not properly sanitize the `assetId` when storing assets in the filestore, enabling an attacker to run arbitrary operating system commands on the underlying server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Squidex (affected versions not specified) **Description** The issue concerns a Cross-Site Scripting (XSS) vulnerability due to missing origin verification in a postMessage handler. This affects the editor-sdk.js file, which defines class-like functions such as SquidexSidebar, SquidexWidget, and SquidexFormField. These functions employ a global message event listener that takes action based on the received message type. For instance, the SquidexFormField updates its value property when it receives a message with the type 'valueChanged'. This class is used in the editor-editorjs.html file, accessible via the public wwwroot folder, where it registers a callback function using the onValueChanged method. This method passes the value from the message event to the editor.render, introducing an XSS vulnerability if an attacker-controlled value is passed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenRefine versions prior to 3.7.4 **Description** The issue is related to a Zip Slip vulnerability in OpenRefine, which can be exploited by a specially crafted malicious OpenRefine project tar file. This can lead to arbitrary code execution in the context of the OpenRefine process if a user imports the malicious file. **Recommendations** For OpenRefine versions prior to 3.7.4, update to OpenRefine 3.7.4 as soon as possible. For users unable to upgrade, only import OpenRefine projects from trusted sources. As a temporary workaround, consider restricting the import of OpenRefine projects to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cacti versions prior to 1.2.23 **Description** A command injection vulnerability in Cacti allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote agent.php` file, which can be accessed without authentication. An attacker can bypass the authentication by providing a header `Forwarded-For: <TARGETIP>`, allowing the function `get client addr` to return the IP address of the server running Cacti. The attacker can then trigger different actions, including the `polldata` action, which retrieves request parameters and loads corresponding `poller item` entries from the database. If the `action` of a `poller item` equals `POLLER ACTION SCRIPT PHP`, the function `proc open` is used to execute a PHP script, leading to a command injection vulnerability. The attacker-controlled parameter `$poller id` can be used to execute arbitrary commands. **Recommendations** To resolve the issue, update to version 1.2.23 or later. As a temporary workaround, consider restricting access to the `remote agent.php` file and the `poll for data` function to prevent unauthorized access. Additionally, restrict the use of the `proc open` function to prevent command injection attacks. Avoid using the `get client addr` function to determine the IP address of the client, as it can be bypassed by an attacker. Instead, use a more secure method to authenticate clients and authorize access to the `remote agent.php` file.