Tx1Ee

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.4 **Description** Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a privilege escalation issue exists. The `upsertUser` API endpoint is missing `superAdminAuthMiddleware`, allowing any logged-in user to call it. The `originalPassword` parameter is optional, and if not provided, password verification is skipped. Additionally, there is no ownership verification performed, specifically checking if `input.id` equals `ctx.id`. This could allow any authenticated user to modify other users' passwords, escalate privileges to superadmin, and potentially take complete account control. **Recommendations** Update to version 1.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.4 **Description** Blinko is an AI-powered card note-taking project. A flaw exists in the `saveAdditionalDevFile` function that allows for authenticated arbitrary file writing. This means a user with valid credentials could potentially write files to the system. **Recommendations** Update to version 1.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.4 **Description** The file server endpoint does not validate permissions on the `temp/` path and does not filter path traversal sequences, potentially allowing unauthorized access to arbitrary files on the server. If scheduled backup tasks are enabled, attackers may be able to read backup files containing user notes and user `TOKENS`. A path traversal attack exploits a flaw in an application's handling of user-supplied input, allowing attackers to access files and directories outside the intended root directory. **Recommendations** Update to version 1.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.3 **Description** Blinko is an AI-powered card note-taking project. The plugin file server endpoint uses the `join()` function to concatenate paths but does not verify if the final path is within the plugins directory, leading to a path traversal issue. The vulnerable API endpoint is the plugin file server endpoint. The `join()` function is used to concatenate paths without proper validation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.3 **Description** The `fileName` parameter in Blinko is not properly filtered, which allows for path traversal. This enables unauthorized writing of files to any location within the file system. The affected interface only requires standard user authentication (`authProcedure`) and does not enforce super administrator authentication (`superAdminAuthMiddleware`). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.4 **Description** Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the `filePath` parameter accepts path traversal sequences. This allows for the enumeration of file existence on the server through differing error responses. **Recommendations** Update to version 1.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.4 **Description** A publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. The affected software is an AI-powered card note-taking project. The issue was addressed in version 1.8.4. The vulnerable endpoint is not explicitly named, but it allows unauthorized access to user data. The exposed data includes `username`, `role`, and account creation date. **Recommendations** Update to version 1.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.4 **Description** Blinko is an AI-powered card note-taking project. A security issue exists where the `user.detail` API endpoint improperly reveals the superadmin token due to an IDOR (Insecure Direct Object Reference) condition. This allows unauthorized access to sensitive administrative functions. **Recommendations** Update to version 1.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.4 **Description** Blinko, an AI-powered card note-taking project, contains an issue where the comment feature allows unauthorized access. Specifically, the `/api/v1/comment/create` endpoint permits attackers to post comments on any note, including private ones, without proper authorization. The `/api/v1/comment/list` endpoint also suffers from this problem, allowing unauthorized viewing of comments on all notes. The vulnerable parameters are not specified. **Recommendations** Update to version 1.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** Blinko versions prior to 1.8.4 **Description** Blinko is an AI-powered card note-taking project. The server creation function for the Model Context Protocol (MCP) allows specification of arbitrary commands and arguments. These commands are executed during connection testing. This allows for potential remote code execution. **Recommendations** Update to version 1.8.4 or later.