Thomas Rinsma

**Name of the Vulnerable Software and Affected Versions** Feathersjs versions 5.0.39 and below **Description** Feathersjs is a framework used for building web APIs and real-time applications. Versions 5.0.39 and below store all HTTP request headers in a session cookie that is signed but not encrypted. This can expose internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, which is then persisted using cookie-session and base64-encoded. While the cookie is signed, the data is readable by decoding the base64 value. In certain deployment configurations, such as those behind reverse proxies or API gateways, this can lead to the disclosure of sensitive internal infrastructure details like API keys, service tokens, and internal IP addresses. The issue involves the storage of sensitive information in the session cookie, specifically impacting the handling of HTTP request headers and OAuth service data. **Recommendations** Update to version 5.0.40 or later.

**Name of the Vulnerable Software and Affected Versions** Feathersjs versions 5.0.39 and below **Description** Feathersjs is a framework used for building web APIs and real-time applications. A flaw in origin validation, specifically using the `startsWith()` function for comparison, allows attackers to bypass origin checks. This bypass is possible by registering a domain that shares a common prefix with an allowed origin. The `getAllowedOrigin()` function inadequately validates the prefix of the Referer header against allowed origins. An attacker can initiate the OAuth flow from an unauthorized origin and potentially steal tokens, leading to full account takeover. **Recommendations** Update to version 5.0.40 or later.

**Name of the Vulnerable Software and Affected Versions** Feathersjs versions 5.0.39 and below **Description** Feathersjs is a framework used for building web APIs and real-time applications. A flaw exists where the redirect query parameter is added to the base origin without proper validation. This allows attackers to steal access tokens through URL authority injection, potentially leading to full account takeover. The application builds the redirect URL by combining the base origin with a user-provided redirect parameter. This is exploitable when origins do not end with a forward slash (/). An attacker can provide a malicious redirect value, such as `@attacker.com`, resulting in a URL like `https://target.com@attacker.com#access token=...`. The browser then interprets `attacker.com` as the host, enabling the attacker to obtain the victim's access token and impersonate them. **Recommendations** Update to version 5.0.40 or later.

**Name of the Vulnerable Software and Affected Versions** Apache OpenOffice versions through 4.1.15 **Description** Apache OpenOffice contains a missing authorization check when handling external links within documents. This allows an attacker to create a malicious document that loads external files without user confirmation. These links can be used to transmit sensitive system information, such as environment variables and configuration settings. The affected versions utilize a URI scheme that enables the inclusion of system configuration data, potentially exposing it externally. **Recommendations** Upgrade to version 4.1.16 to resolve this issue.

Name of the Vulnerable Software and Affected Versions: Stalwart versions 0.12.0 through 0.13.2 Description: Stalwart is a mail and collaboration server. A memory exhaustion vulnerability exists in Stalwart’s CalDAV implementation that allows authenticated attackers to cause a denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV `REPORT` requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `<C:expand>` element, the server stores all expanded event instances in memory without enforcing size limits. Recommendations: Upgrade to Stalwart version 0.13.3 or later. If immediate upgrading is not possible, implement memory limits at the container/system level. Monitor server memory usage for unusual spikes. Consider rate limiting CalDAV `REPORT` requests. Restrict CalDAV access to trusted users only.

**Name of the Vulnerable Software and Affected Versions** Zyxel VMG8825-T50K firmware versions prior to V5.50(ABOM.5)C0 **Description** A buffer overflow exists in the URL parser of the zhttpd web server. This issue could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and potentially execute arbitrary code by sending a specially crafted HTTP request. **Recommendations** Update Zyxel VMG8825-T50K firmware to version V5.50(ABOM.5)C0 or later.

**Name of the Vulnerable Software and Affected Versions** LibreOffice versions 24.8 through 24.8.3 **Description** The issue is related to insufficient protection of internal data in LibreOffice, allowing an unauthorized actor to potentially disclose sensitive information. Specifically, URLs could be constructed to expand environmental variables or INI file values, leading to the exfiltration of potentially sensitive information to a remote server when opening a document containing such links. **Recommendations** For LibreOffice versions 24.8 through 24.8.3, update to version 24.8.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of URLs that could expand environmental variables or INI file values in documents until a patch is applied. Avoid using links that could potentially disclose sensitive information in documents until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LibreOffice versions 24.8 through 24.8.3 **Description** The issue is related to an improper limitation of a pathname to a restricted directory, also known as 'Path Traversal', in LibreOffice. This allows for absolute path traversal, enabling an attacker to write to arbitrary locations, albeit with the ".ttf" suffix, by providing a file in a format that supports embedded font files. **Recommendations** For LibreOffice versions 24.8 through 24.8.3, update to version 24.8.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of file formats that support embedded font files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Artifex Ghostscript versions prior to 10.03.1 **Description** The Ghostscript software suite contains a directory traversal issue when using Tesseract for Optical Character Recognition (OCR). This allows for arbitrary file reading and writing of error messages to arbitrary files through the `OCRLanguage` parameter. Specifically, exploitation can occur via the `debug file` and `user patterns file` parameters. The API endpoints potentially involved are those utilizing OCR functionality. The vulnerable parameters are `debug file` and `user patterns file`. **Recommendations** Versions prior to 10.03.1 should be updated to version 10.03.1 or later.

Name of the Vulnerable Software and Affected Versions: Artifex Ghostscript versions prior to 10.03.0 Description: The issue is related to a heap-based overflow when the `PDFPassword` parameter has a `000` byte in the middle, which can be exploited by a remote attacker to cause a denial of service. Recommendations: For versions prior to 10.03.0, update to version 10.03.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `PDFPassword` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Artifex Ghostscript versions prior to 10.03.0 Description: The issue is related to a stack-based buffer overflow in the `pdfi apply filter()` function of the Ghostscript software suite, which occurs during the filtering process. This can be exploited by a remote attacker to execute arbitrary code, cause a denial of service, or gain full control over the application. The vulnerability is triggered by a long PDF filter name. Recommendations: For versions prior to 10.03.0, update to version 10.03.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of long PDF filter names to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Artifex Ghostscript versions prior to 10.03.0 Artifex Ghostscript versions prior to 10.0.3.0 Description: The issue is related to a heap-based pointer disclosure in the `pdf base font alloc()` function, observable in a constructed BaseFont name. This is caused by a buffer overflow due to incorrect scaling of the pointer (`&quot;.F&quot; PRI INTPTR`). Exploitation of this issue may allow a remote attacker to execute arbitrary code or cause a denial of service. Recommendations: For versions prior to 10.03.0, update to version 10.03.0 or later. For versions prior to 10.0.3.0, update to version 10.0.3.0 or later. As a temporary workaround, consider restricting access to the `pdf base font alloc()` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: Artifex Ghostscript versions prior to 10.03.0 Description: The issue is related to a stack-based buffer overflow in the Ghostscript software, which can be exploited via the `CIDFSubstPath` and `CIDFSubstFont` parameters. This can potentially allow a remote attacker to gain unauthorized access to protected information. Recommendations: For Artifex Ghostscript versions prior to 10.03.0, update to version 10.03.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `CIDFSubstPath` and `CIDFSubstFont` parameters until a patch is available.

Name of the Vulnerable Software and Affected Versions: Mozilla Firefox versions 115.11.0esr-1~deb10u1 and earlier, Mozilla Thunderbird versions 115.10.0 and 128.3.0-alt1, Network Security Services (NSS). Description: Multiple security issues have been found in Mozilla Firefox, Mozilla Thunderbird, and Network Security Services (NSS). These vulnerabilities could potentially result in arbitrary code execution, denial of service, or clickjacking. The vulnerabilities in Firefox have been addressed in version 115.11.0esr-1~deb10u1. The vulnerabilities in Thunderbird have been addressed in versions 115.10.0 and 128.3.0-alt1. The vulnerability in NSS has been addressed with fixes for a Minerva side-channel information leak. Recommendations: Upgrade Mozilla Firefox to version 115.11.0esr-1~deb10u1 or later. Upgrade Mozilla Thunderbird to version 115.10.0 or 128.3.0-alt1. Update Network Security Services (NSS) to the latest version.

[Content removed]

**Name of the Vulnerable Software and Affected Versions** Sequelize versions prior to 6.29.0 Sequelize versions prior to 7.0.0.alpha-20 **Description** The issue is due to improper attribute filtering in the Sequelize JS library, allowing an attacker to perform SQL injections. This can be exploited when using parentheses in the attribute option, causing Sequelize to use the string as-is in the SQL. For example, using the `attributes` option with a value like `['count(id)', 'count']` can lead to SQL injection. The estimated number of potentially affected devices is not provided. **Recommendations** For Sequelize versions prior to 6.29.0, update to version 6.29.0 or later to patch the issue. For Sequelize versions prior to 7.0.0.alpha-20, update to version 7.0.0.alpha-20 or later to patch the issue. As a temporary workaround, do not use user-provided content to build your list of attributes. If you do, make sure that the attribute in question actually exists on your model by checking that it exists in the `rawAttributes` property of your model first.

**Name of the Vulnerable Software and Affected Versions** sequelize js library (affected versions not specified) **Description** The issue is related to improper input filtering in the sequelize js library, which can lead to sensitive information disclosure when malicious queries are executed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sequelize versions prior to 6.28.1 Sequelize Core versions prior to 7.0.0.alpha-20 **Description** The issue is due to improper parameter filtering in the Sequelize JS library, which can allow an attacker to perform injection. Providing an invalid value to the `where` option of a query caused Sequelize to ignore that option instead of throwing an error. This only happens at the top level of the `where` option, typically used with plain JavaScript objects. **Recommendations** For Sequelize versions prior to 6.28.1, update to version 6.28.1 or later to resolve the issue. For Sequelize Core versions prior to 7.0.0.alpha-20, update to version 7.0.0.alpha-20 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing user input to prevent malicious data from being passed to the `where` option.

**Name of the Vulnerable Software and Affected Versions** Socket.io versions prior to 4.5.2 Socket.io-client versions prior to 4.5.0 Socket.io-parser versions prior to 4.2.1 Socket.io-parser versions prior to 4.0.5 Socket.io-parser versions prior to 3.4.2 Socket.io-parser versions prior to 3.3.3 **Description** Due to improper type validation in attachment parsing in the Socket.io js library, it is possible to overwrite the placeholder object, allowing an attacker to place references to functions at arbitrary places in the resulting query object. This issue can be exploited by sending malicious packets, such as a number out of bounds, a value that is not a number, or a string that is part of the prototype of Array or Object. For example, an attacker can send a packet with a string like "push" or "hasOwnProperty" to overwrite the placeholder object. To mitigate this issue, it is essential to ensure that the payload received from the client is a Buffer object. **Recommendations** For Socket.io versions prior to 4.5.2, update to version 4.5.2 or later. For Socket.io-client versions prior to 4.5.0, update to version 4.5.0 or later. For Socket.io-parser versions prior to 4.2.1, update to version 4.2.1 or later. For Socket.io-parser versions prior to 4.0.5, update to version 4.0.5 or later. For Socket.io-parser versions prior to 3.4.2, update to version 3.4.2 or later. For Socket.io-parser versions prior to 3.3.3, update to version 3.3.3 or later. As a temporary workaround, consider validating the payload received from the client to ensure it is a Buffer object, and disconnect the client if it is not.

**Name of the Vulnerable Software and Affected Versions** Feathers js library (affected versions not specified) **Description** The issue is related to improper input validation in the Feathers js library, which can lead to a SQL injection attack on the back-end database when the feathers-sequelize package is used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.