Umeradeemcheema

**Name of the Vulnerable Software and Affected Versions** Trilium Notes versions prior to 0.102.2 **Description** An authenticated attacker can perform Local File Inclusion, which is a flaw allowing the reading of arbitrary files on the server's filesystem. The issue occurs within the `uploadModifiedFileToAttachment()` function, triggered by a POST request to the '/api/attachments/{attachmentId}/upload-modified-file' endpoint. By providing a path in the `filePath` variable of the request body, the content of an attachment is replaced with the content of the specified file. The attacker can then retrieve this content via the '/api/attachments/{attachmentId}/download' endpoint. This can expose sensitive data such as SSH keys, credentials, configurations, and operating system files, potentially leading to remote code execution and the compromise of co-hosted applications. **Recommendations** Update to version 0.102.2. As a temporary workaround, restrict access to the '/api/attachments/{attachmentId}/upload-modified-file' endpoint.

**Name of the Vulnerable Software and Affected Versions** osTicket versions prior to 1.17.6 and prior to 1.18.2 **Description** The issue is related to a Broken Access Control Vulnerability in the /scp/ajax.php endpoint. This vulnerability affects osTicket versions prior to 1.17.6 and prior to 1.18.2. **Recommendations** For versions prior to 1.17.6, update to version 1.17.6 or later. For versions prior to 1.18.2, update to version 1.18.2 or later. As a temporary workaround, consider restricting access to the /scp/ajax.php endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Admidio versions prior to 4.3.10 **Description** A Remote Code Execution issue exists in the Message module of the Admidio Application. This is due to the lack of file extension verification, allowing malicious files to be uploaded to the server. The uploaded file can be accessed publicly through the URL `{admidio base url}/adm my files/messages attachments/{file name}`. An attacker can upload a PHP web shell that executes OS commands on the server, compromising the application server. This can lead to a complete compromise of the server, allowing the attacker to execute arbitrary code or commands, access, modify, or delete sensitive data, install malicious software or scripts, gain further access to internal networks, and disrupt services and applications hosted on the server. **Recommendations** - For versions prior to 4.3.10, update to version 4.3.10 to fix the vulnerability. - As a temporary workaround, consider disabling the file upload feature in the Message module until a patch is available. - Restrict access to the `{admidio base url}/adm my files/messages attachments/{file name}` endpoint to minimize the risk of exploitation. - Implement strict file extension verification to ensure that only allowed file types can be uploaded. - Reject any file upload with disallowed or suspicious extensions such as .php, .phtml, .exe, etc.

**Name of the Vulnerable Software and Affected Versions** Admidio versions prior to 4.3.9 **Description** The issue is related to an SQL Injection in the `/adm program/modules/ecards/ecard send.php` source file of the Admidio Application. This SQL Injection results in a compromise of the application's database. The value of `ecard recipients` POST parameter is being directly concatenated with the SQL query in the source code, causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. An attacker could potentially access sensitive data, modify, delete, or add data to the database, and possibly perform remote code execution. **Recommendations** For versions prior to 4.3.9, update to version 4.3.9 to fix the SQL Injection vulnerability. As a temporary workaround, consider using parameterized queries or prepared statements instead of concatenating user input directly into SQL queries, or sanitize the input before including it in the SQL Query. Restrict access to the `/adm program/modules/ecards/ecard send.php` endpoint to minimize the risk of exploitation. Avoid using the `ecard recipients` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.139 **Description** The issue arises from a Prototype Pollution vulnerability in the `/public/js/main.js` source file. This vulnerability occurs because the `getQueryParam` function recursively merges an object containing user-controllable properties into an existing object for URL query parameters parsing, without first sanitizing the keys. An attacker can inject a property with a key ` proto `, along with arbitrarily nested properties, allowing them to pollute the prototype with properties containing harmful values. These properties are then inherited by user-defined objects and used by the application, potentially leading to unsafe handling of attacker-controlled properties. This can be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, and HTML Injection. **Recommendations** For versions prior to 1.8.139, update to version 1.8.139 to resolve the issue. As a temporary workaround, consider disabling the `getQueryParam` function until a patch is available. Restrict access to the `/public/js/main.js` source file to minimize the risk of exploitation. Avoid using the ` proto ` key in URL query parameters until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.139 **Description** A stored HTML Injection issue has been identified in the Email Receival Module of the FreeScout Application. This issue allows attackers to inject malicious HTML content into emails sent to the application's mailbox due to improper handling of HTML content within incoming emails. Attackers can embed malicious HTML code in the context of the application's domain, potentially leading to attacks such as form hijacking, application defacement, or data exfiltration via CSS injection. Unauthenticated attackers can exploit this issue, although they are limited to HTML injection, the consequences can still be severe. **Recommendations** For versions prior to 1.8.139, update to version 1.8.139, which implements strict input validation and sanitization mechanisms to prevent malicious HTML injections.

**Name of the Vulnerable Software and Affected Versions** Froxlor versions prior to 2.1.9 **Description** A Stored Blind Cross-Site Scripting (XSS) vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated user can inject malicious scripts in the `loginname` parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, an attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. The vulnerability can lead to defacement of the Application and allow attackers to steal sensitive information such as login credentials, session tokens, and personally identifiable information (PII). **Recommendations** For versions prior to 2.1.9, update to version 2.1.9 to fix the vulnerability. As a temporary workaround, consider implementing thorough input validation and sanitization mechanisms on all user inputs, and sanitize malicious Javascript functions to prevent data binding and interpolation of Vue.js. Restrict access to the System Logs to minimize the risk of exploitation. Avoid using the `loginname` parameter in the affected Login attempt until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Sidekiq versions prior to 7.2.4 Description: The issue is related to a reflected XSS vulnerability in Sidekiq, where the value of the `substr` parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. This could potentially compromise user accounts, force users to perform sensitive actions, steal sensitive data, perform CORS attacks, or deface the web application. If other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Recommendations: To resolve the issue, update to version 7.2.4 or later. As a temporary workaround, consider encoding all output data before rendering it in the response to prevent XSS attacks. Restrict access to the Sidekiq Web UI to minimize the risk of exploitation. Avoid using the `substr` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.128 **Description** FreeScout is a self-hosted help desk and shared mailbox. The issue concerns OS Command Injection in the /public/tools.php source file. The value of the `php path` parameter is being executed as an OS command by the `shell exec` function, without validating it. This allows an adversary to execute malicious OS commands on the server. A practical demonstration of the successful command injection attack extracted the /etc/passwd file of the server, representing the complete compromise of the server hosting the FreeScout application. This attack requires an attacker to know the `App Key` of the application, which makes the attack complexity high. If an attacker gets hold of the `App Key`, they can compromise the complete server on which the application is deployed. **Recommendations** For versions prior to 1.8.128, update to version 1.8.128 or later, which contains a patch for this issue. As a temporary workaround, consider restricting access to the /public/tools.php file or disabling the `shell exec` function until a patch is applied. Additionally, restrict access to the `App Key` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.128 **Description** A Stored Cross-Site Scripting (XSS) vulnerability has been identified within the Signature Input Field of the FreeScout Application. This occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. The application's Content Security Policy (CSP) was bypassed by uploading a JS file to the server via a POST request to the `/conversation/upload` endpoint. The CSP policy only allows the inclusion of JS files present on the application server and does not allow any inline script or script other than `nonce-abcd`. However, by including the uploaded JS file link as the `src` of the `script`, the CSP policy was bypassed, making XSS attacks possible. The impact of this vulnerability is severe, allowing an attacker to compromise the FreeScout Application, perform malicious actions, steal sensitive information, and potentially lead to defacement of the Application. **Recommendations** For versions prior to 1.8.128, update to version 1.8.128 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/conversation/upload` endpoint to prevent uploading of malicious JS files. Additionally, restrict the use of the `script` tag with `src` attribute in the Signature Input Field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.124 **Description** A vulnerability has been identified in the FreeScout Application, which exposes SMTP server credentials used by an organization in the application to users of the application. This issue arises from the application storing complete stack traces of exceptions in its database. The sensitive information is then inadvertently disclosed to users via the "/conversation/ajax-html/send log?folder id=&thread id={id}" endpoint. The stack trace reveals the value of parameters, including the `username` and `password`, passed to the `Swift Transport Esmtp Auth LoginAuthenticator->authenticate()` function. Exploiting this vulnerability allows an attacker to gain unauthorized access to SMTP server credentials. With this sensitive information in hand, the attacker can potentially send unauthorized emails from the compromised SMTP server, posing a severe threat to the confidentiality and integrity of email communications. **Recommendations** For versions prior to 1.8.124, upgrade to version 1.8.124 or later. As a temporary workaround, consider avoiding the storage of complete stack traces, implementing redaction mechanisms to filter and exclude sensitive information, and reviewing and enhancing the application's logging practices. Restrict access to the "/conversation/ajax-html/send log?folder id=&thread id={id}" endpoint to minimize the risk of exploitation. Avoid using the `username` and `password` parameters in the affected API endpoint until the issue is resolved.