Theamanrawat

**Name of the Vulnerable Software and Affected Versions** Mastodon versions prior to 4.5.8 Mastodon versions prior to 4.4.15 Mastodon versions prior to 4.3.21 **Description** Mastodon, a free and open-source social network server based on ActivityPub, contains an unauthenticated Open Redirect issue in the `/web/*` route. This is due to improper handling of URL-encoded path segments. An attacker can create a specially encoded URL that redirects users to an arbitrary external domain, potentially enabling phishing attacks and OAuth credential theft. The issue arises because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. **Recommendations** Update Mastodon to version 4.5.8 or later. Update Mastodon to version 4.4.15 or later. Update Mastodon to version 4.3.21 or later.

**Name of the Vulnerable Software and Affected Versions** Checkmate versions prior to 3.5.1 **Description** Checkmate is a self-hosted tool for tracking server hardware, uptime, response times, and incidents. A mass assignment issue exists in the user profile update endpoint, allowing authenticated users to escalate privileges to superadmin, bypassing role-based access controls. An attacker can modify their user role to gain complete administrative access, including viewing all users, modifying configurations, and accessing sensitive data. The vulnerable endpoint is the user profile update endpoint. The vulnerability allows modification of the user role through mass assignment of parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.31.5 **Description** Budibase is a low code platform used for creating internal tools, workflows, and admin panels. A flaw exists in the server's `authorized()` middleware, which is designed to protect server-side API endpoints. By appending a webhook path pattern to the query string of any request, an attacker can bypass this middleware. The `isWebhookEndpoint()` function utilizes an unanchored regular expression that evaluates the entire URL, including query parameters, via `ctx.request.url`. When a match occurs, the `authorized()` middleware immediately calls `return next()`, effectively skipping all authentication, authorization, role checks, and CSRF protection. This allows a remote, unauthenticated attacker to access any server-side API endpoint. The vulnerable component is the `authorized()` middleware and the `isWebhookEndpoint()` function. API endpoints are susceptible to this bypass. The vulnerable parameter is the query string. **Recommendations** Versions prior to 3.31.5 are affected. Upgrade to version 3.31.5 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Glances versions prior to 4.5.1 **Description** Glances, a cross-platform system monitoring tool, contains a flaw in its TimescaleDB export module. The module builds SQL queries by concatenating strings with unverified system monitoring data. The `normalize()` function encloses string values in single quotes but does not escape any embedded single quotes, which allows for trivial SQL injection. Attackers can control data like process names, filesystem mount points, network interface names, and container names to exploit this issue. The vulnerability resides in the `normalize()` function within `glances/exports/glances timescaledb/ init .py` (lines 79-93) and the query construction section (lines 201-205). A proof of concept demonstrates that a normal user can create a process with a name containing a SQL injection payload, and then, when Glances is started with TimescaleDB export, a file is created in the /tmp directory, indicating successful SQL injection. Potential impacts include data destruction, data exfiltration, potential remote code execution, and privilege escalation. The vulnerability is due to the direct execution of concatenated SQL queries without using parameterized queries. **Recommendations** Versions prior to 4.5.1 should be updated to version 4.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** Checkmate versions prior to 3.4.0 **Description** An unauthenticated information disclosure issue exists in the GET `/api/v1/status-page/:url` endpoint. The endpoint does not enforce authentication or verify if a status page is published before revealing complete status page details. This allows any unauthenticated user to access unpublished status pages and their internal data through direct API requests. The vulnerable parameter is `url`. **Recommendations** Update to version 3.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Glances versions prior to 4.5.1 **Description** Glances is a cross-platform system monitoring tool. The '/api/4/config' REST API endpoint returns the entire Glances configuration file (glances.conf) without filtering sensitive values. This configuration file contains credentials for backend services, including database passwords, API tokens, JWT signing keys, and SSL key passwords. The vulnerability stems from the `as dict()` method in `config.py`, which iterates through all configuration sections and keys without applying any redaction. The API endpoint lacks authentication when started without a password. Exploitation involves retrieving the configuration file via a simple HTTP request, allowing attackers to extract sensitive information and potentially compromise the entire infrastructure. **Recommendations** Glances versions prior to 4.5.1 should be updated to version 4.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** Faraday versions prior to 2.14.1 **Description** Faraday is an HTTP client library abstraction layer. The `build exclusive url()` function (located in `lib/faraday/connection.rb`) uses Ruby's `URI#merge` to combine a connection's base URL with a user-supplied path. According to RFC 3986, protocol-relative URLs (starting with `//`) are treated as network-path references that override the host or authority component of the base URL. If an application passes user-controlled input to request methods such as `get()`, `post()`, or `build url()`, an attacker can provide a protocol-relative URL to redirect the request to an arbitrary host, leading to Server-Side Request Forgery (SSRF), which is a technique where an attacker forces a server to make requests to an unintended destination. **Recommendations** Update to version 2.14.1. Validate and sanitize user-controlled input before passing it to request methods by rejecting or stripping input that starts with `//` followed by a non-`/` character. Use an allowlist of permitted path prefixes. Prepend `./` to all user-supplied paths before passing them to the library.

**Name of the Vulnerable Software and Affected Versions** ServiceNow (affected versions not specified) **Description** The issue is related to an open redirect within the response list update functionality. This allows attackers to redirect users to arbitrary domains when clicking on a URL within a service-now domain. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ServiceNow (affected versions not specified) **Description** A XSS issue was identified in the ServiceNow UI page `assessment redirect`. To exploit this, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation could be used to conduct various client-side attacks, including phishing, redirection, theft of `CSRF` tokens, and use of an authenticated user's browser or session to attack other systems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.