Tenbbughunters

**Name of the Vulnerable Software and Affected Versions** Chatwoot versions 2.2.0 through 4.11.1 **Description** An issue exists in the conversation and contact filter APIs where user-supplied values in the `values` field of the filter payload are interpolated directly into SQL queries without parameterization when filtering by custom attributes of type date or number using the `is greater than` or `is less than` operators. This allows an authenticated user with account access to execute arbitrary SQL via time-based blind injection. Affected endpoints include '/api/v1/accounts/{account id}/conversations/filter', '/api/v1/accounts/{account id}/contacts/filter', and '/api/v1/accounts/{account id}/custom attribute definitions'. **Recommendations** Update to version 4.11.2.

**Name of the Vulnerable Software and Affected Versions** Flowise versions prior to 3.1.0 **Description** The GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. This allows an attacker to inject arbitrary Cypher commands that are executed on the underlying Neo4j database, potentially leading to data exfiltration, modification, deletion, or schema discovery. The issue occurs within the `run()` function of the `GraphCypherQAChain.ts` file, where the `query` variable is passed to the chain without escaping. Exploitation requires access to the prediction endpoint '/api/v1/prediction/{flowId}'. **Recommendations** Update to version 3.1.0. As a temporary workaround, restrict access to the '/api/v1/prediction/{flowId}' endpoint to authorized users only.

**Name of the Vulnerable Software and Affected Versions** Flowise versions prior to 3.0.13 **Description** Flowise has an issue where the NVIDIA NIM router endpoint ('/api/v1/nvidia-nim/*') was incorrectly whitelisted in the global authentication middleware. This allowed unauthenticated access to sensitive container management and token generation endpoints. Specifically, the issue stems from a configuration in `packages/server/src/utils/constants.ts` where the NVIDIA NIM route was added to the authentication whitelist, bypassing JWT/API-key validation. Affected endpoints include those for obtaining NVIDIA API tokens, managing container lifecycles (starting, stopping, pulling images), and retrieving container information. An attacker could exploit this to leak valid NVIDIA API tokens, manipulate container runtime, and potentially cause denial of service. The NVIDIA API token grants access to NVIDIA's inference API and can list over 170 large language models. **Recommendations** Versions prior to 3.0.13 should be updated to version 3.0.13 or later.

**Name of the Vulnerable Software and Affected Versions** Nginx UI versions prior to 2.3.3 **Description** Nginx UI is a web user interface for the Nginx web server. A critical flaw exists where the '/api/backup' endpoint is accessible without authentication. When this endpoint is accessed, the server provides a full system backup and discloses the AES-256 encryption keys (key and IV) required to decrypt the backup within the 'X-Backup-Security' response header. This allows an unauthenticated remote attacker to download and immediately decrypt sensitive data, including user credentials, session tokens, SSL private keys, and Nginx configurations. The issue is caused by the `CreateBackup()` function in `api/backup/router.go` being registered without authentication middleware. Approximately 500 active instances were identified in the RuNet segment, with 35% potentially affected. **Recommendations** Update Nginx UI to version 2.3.3 or higher. Restrict network access to the Nginx UI management interface so it is not accessible from the internet, utilizing a VPN or an allowlist of IP addresses. Implement additional authentication, such as HTTP Basic Authentication, at the reverse-proxy level. Rotate all secrets, including Nginx UI user passwords, SSL certificates, and session tokens. Audit logs for unauthorized requests to the '/api/backup' endpoint or the presence of the 'X-Backup-Security' header in responses.

**Name of the Vulnerable Software and Affected Versions** Gradio versions 4.16.0 through 6.5.9 **Description** Gradio is a Python package for rapid prototyping. Applications running outside of Hugging Face Spaces, versions 4.16.0 through 6.5.9, improperly handle OAuth components like `gr.LoginButton`. Visiting the `/login/huggingface` API endpoint triggers a process where the server retrieves and stores its Hugging Face access token in a session cookie. This cookie, signed with a hardcoded secret (`"-v4"`), can be decoded by remote attackers, potentially leading to credential theft. The vulnerable process occurs when an application is accessible over a network. **Recommendations** Update to Gradio version 6.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** Gogs versions 0.13.4 and below **Description** Gogs, a self-hosted Git service, has an issue where the DeleteComment API does not properly verify if a comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by providing arbitrary comment IDs, effectively bypassing authorization controls. The `DeleteComment` function retrieves a comment by ID without validating repository ownership, and the `Database` function `DeleteCommentByID` does not perform repository validation. The vulnerable API endpoint is `/owner/repo/issues/comments/:id/delete`. The vulnerable parameter is `:id`, representing the comment ID. **Recommendations** Update to version 0.14.0 or later to resolve this issue.