Tinkanet

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.5.0-alpha.14 Parse Server versions prior to 8.6.11 **Description** A crafted `$regex` pattern within a LiveQuery subscription can cause catastrophic backtracking, blocking the Node.js event loop and rendering the entire Parse Server unresponsive. An attacker requires only the application ID and JavaScript key, typically public in client-side applications, to exploit this issue. This impacts Parse Server deployments with LiveQuery enabled, specifically affecting LiveQuery subscription matching which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected as their regex evaluation occurs within the database engine. **Recommendations** Update to Parse Server version 9.5.0-alpha.14 or later. Update to Parse Server version 8.6.11 or later.

**Name of the Vulnerable Software and Affected Versions** Mercurius versions prior to 16.8.0 **Description** Mercurius does not properly enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check functions as expected for HTTP queries and mutations, but subscription queries bypass this validation. This allows a remote client to send excessively nested subscription queries via WebSocket, circumventing the intended depth restriction. In schemas containing recursive types, this can result in a denial of service due to exponential data resolution with each subscription event. **Recommendations** Update to version 16.8.0 or later. Disable subscriptions and queries over WebSocket.

**Name of the Vulnerable Software and Affected Versions** express-rate-limit versions 8.0.0 through 8.0.1 express-rate-limit versions 8.1.0 through 8.1.1 express-rate-limit versions 8.2.0 through 8.2.1 **Description** The default keyGenerator in express-rate-limit incorrectly applies IPv6 subnet masking to IPv4-mapped IPv6 addresses. This results in all IPv4 traffic being placed into a single rate-limit bucket. Consequently, a single client exhausting the rate limit can cause HTTP 429 errors for all other IPv4 clients. The issue occurs on Node.js dual-stack servers where `request.ip` contains IPv4-mapped IPv6 addresses. This affects the default `keyGenerator` configuration only. The issue can lead to a denial of service, as a single client can block all IPv4 traffic. **Recommendations** Update to express-rate-limit version 8.0.2. Update to express-rate-limit version 8.1.1. Update to express-rate-limit version 8.2.2. Update to express-rate-limit version 8.3.0.

**Name of the Vulnerable Software and Affected Versions** Defuddle versions prior to 0.9.0 **Description** Defuddle contains a flaw in the ` findContentBySchemaText` method within `src/defuddle.ts`. This method directly interpolates image `src` and `alt` attributes into an HTML string without proper escaping. An attacker can leverage a double quote character (") within the `alt` attribute to break out of the attribute context and inject event handlers, leading to potential cross-site scripting (XSS). The issue arises during string construction, not within the DOM, bypassing the ` stripUnsafeElements` function. The vulnerability is triggered when processing HTML with schema.org structured data and a sibling image with a crafted `alt` attribute. The affected code uses string interpolation: `html += `<img src="${imageSrc}" alt="${imageAlt}">`;`. The `getAttribute()` function returns raw attribute values, and the presence of a quote character in the `alt` attribute allows for the injection of event handlers like `onload`. This can impact applications rendering Defuddle’s HTML output, such as browser extensions, web clippers, and reader modes. **Recommendations** Versions prior to 0.9.0 should be updated to version 0.9.0 or later. As an alternative, use the DOM API instead of string interpolation when creating image elements. Specifically, use the following code: ```typescript if (imageSrc) { const img = this.doc.createElement('img'); img.setAttribute('src', imageSrc); img.setAttribute('alt', imageAlt); html += img.outerHTML; } ``` This approach ensures that attribute values are properly escaped by the DOM serializer.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Phone Contact Manager System version 1.0 **Description** A vulnerability has been found in the SourceCodester Phone Contact Manager System, classified as problematic. The issue is related to improper input validation, affecting the `ContactBook::adding` function of the `ContactBook.cpp` file. The attack must be approached locally, and the exploit has been disclosed to the public. This may allow an attacker to execute arbitrary code. **Recommendations** For SourceCodester Phone Contact Manager System version 1.0, as a temporary workaround, consider disabling the `ContactBook::adding` function until a patch is available. Restrict access to the `ContactBook.cpp` file to minimize the risk of exploitation. Avoid using the function `ContactBook::adding` until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tongda OA 2017 versions up to 11.9 **Description** A critical issue was found in the file general/wiki/cp/manage/lock.php, where the manipulation of the `TERM ID STR` argument leads to sql injection. The exploit has been disclosed to the public and may be used. **Recommendations** For Tongda OA 2017 versions up to 11.9, upgrade to version 11.10 to address this issue. As a temporary workaround, consider restricting access to the `lock.php` file or avoiding the manipulation of the `TERM ID STR` argument until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** IBOS OA version 4.5.5 **Description** A critical issue has been found in the software, affecting some unknown functionality of the file ?r=file/dashboard/trash&op=del. The manipulation of the argument `fids` leads to SQL injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For IBOS OA version 4.5.5, as a temporary workaround, consider restricting access to the file ?r=file/dashboard/trash&op=del to minimize the risk of exploitation. Avoid using the argument `fids` in the affected file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DAR-8000-10 up to 20230819 **Description** The issue is related to the decodmail.php script in the D-Link DAR-8000-10 router's firmware, where it fails to neutralize special elements used in an operating system command. This can be exploited by a remote attacker to execute arbitrary commands. The manipulation of the `file` argument leads to os command injection. The attack may be launched remotely, and the complexity of an attack is rather high. The exploitation is known to be difficult. **Recommendations** For D-Link DAR-8000-10 up to 20230819, as a temporary workaround, consider restricting access to the `/log/decodmail.php` file to minimize the risk of exploitation. Avoid using the `file` argument in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.