Trixterthetux

**Name of the Vulnerable Software and Affected Versions** Laravel versions prior to 11.44.1 Laravel versions prior to 12.1.1 **Description** Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. **Recommendations** For versions prior to 11.44.1, update to version 11.44.1 or later. For versions prior to 12.1.1, update to version 12.1.1 or later. As a temporary workaround, consider restricting the use of wildcard validation for file or image fields until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Smarty versions prior to the latest version of v4 or v5 Smarty version 3.x **Description** The issue allows template authors to inject PHP code by choosing a malicious file name for an extends-tag. This poses a risk to sites that cannot fully trust template authors. All users are advised to update. **Recommendations** For Smarty version 3.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For Smarty versions prior to the latest version of v4 or v5: Upgrade to the most recent version of Smarty v4 or v5 as soon as possible.

**Name of the Vulnerable Software and Affected Versions** Pterodactyl Wings versions prior to 1.11.12 **Description** The issue allows an attacker to gain arbitrary file write and read access on a node if the Wings token is leaked, either by viewing the node configuration or posting it accidentally somewhere. **Recommendations** For versions prior to 1.11.12, update to version 1.11.12 to resolve the issue. As a temporary workaround for users unable to upgrade, enable the `ignore panel config updates` option.

**Name of the Vulnerable Software and Affected Versions** Pterodactyl versions prior to 1.11.6 **Description** Importing a malicious egg or gaining access to a wings instance could lead to cross-site scripting (XSS) on the panel, potentially allowing an attacker to gain an administrator account. The impacted components include Egg Docker images and Egg variables: `Name`, `Environment variable`, `Default value`, `Description`, and `Validation rules`. This issue requires an administrator to perform specific actions and cannot be triggered by a normal panel user. **Recommendations** For versions prior to 1.11.6, update to version 1.11.6 to resolve the issue. No workaround is available other than updating to the latest version of the panel. As a temporary measure, consider restricting access to Egg Docker images and Egg variables to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Pterodactyl Wings versions prior to 1.11.2 Description: An authenticated user with access to a game server can bypass previously implemented access control, potentially accessing resources on local networks that would otherwise be inaccessible. This issue allows malicious users to access internal endpoints of the node hosting Wings in the pull endpoint. The estimated number of potentially affected devices is not specified. Recommendations: For versions prior to 1.11.2, upgrade to version 1.11.2 or later to resolve the issue. As a temporary workaround for users unable to upgrade, enable the `api.disable remote download` option.