Tim Goddard

**Name of the Vulnerable Software and Affected Versions** Velociraptor versions prior to 0.6.5-2 **Description** The issue arises from a bug in the communication handling between the client and server, allowing a registered client to send messages claiming to come from another client ID. Additionally, on MacOS and Linux, there is a potential for a symlink attack, where a predictable file name could be replaced with a symlink to another file, allowing the Velociraptor client to overwrite the other file. **Recommendations** For versions prior to 0.6.5-2, update to Velociraptor 0.6.5-2 to resolve the issue. As a temporary workaround, consider restricting access to the client-server communication to minimize the risk of exploitation. On MacOS and Linux, avoid using predictable file names and restrict write access to sensitive files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Velociraptor versions prior to 0.6.5-2 **Description** A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. **Recommendations** For versions prior to 0.6.5-2, update to Velociraptor 0.6.5-2 to resolve the issue. As a temporary workaround, consider restricting access to the collection report feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Velociraptor versions prior to 0.6.5-2 **Description** The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). **Recommendations** For versions prior to 0.6.5-2, update to Velociraptor 0.6.5-2 to resolve the issue. As a temporary workaround, consider disabling the editor suggestion feature until a patch is available. Restrict access to the description field of VQL functions, plugins, or artifacts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Velociraptor versions prior to 0.6.5-2 **Description** The issue is related to incorrect link resolution before accessing a file, which may allow an attacker to overwrite arbitrary files. On MacOS and Linux, it may be possible to perform a symlink attack by replacing a predictable file name with a symlink to another file, allowing the Velociraptor client to overwrite the other file. **Recommendations** For versions prior to 0.6.5-2, update to Velociraptor 0.6.5-2 to resolve the issue. As a temporary workaround, consider restricting access to predictable file names that could be exploited for symlink attacks until the update is applied.