Vashuvats

**Name of the Vulnerable Software and Affected Versions** Daptin versions prior to 0.11.4 **Description** The '/aggregate/:typename' endpoint accepts `column` and `group` query parameters that are passed without validation to `goqu.L()`, a raw SQL literal expression builder. This bypasses parameterization, allowing authenticated users with any valid session to inject arbitrary SQL expressions. This can lead to the extraction of data from any table via subqueries, disclosure of database internals, and exfiltration of cross-table data via correlated subqueries. **Recommendations** Update to version 0.11.4.

**Name of the Vulnerable Software and Affected Versions** Ech0 versions prior to 4.2.8 **Description** Ech0, a self-hosted publishing platform, has an unsafe link preview feature. The `GET /api/website/title` endpoint is unauthenticated and accepts attacker-controlled URLs. It performs a server-side GET request, reading the entire response body into memory using `io.ReadAll`. There is no host allowlist, SSRF filter, and `InsecureSkipVerify` is set to true for outbound client requests. This allows an attacker who can reach the instance to force the Ech0 server to open HTTP/HTTPS URLs of their choice from the server’s network position (Docker bridge, VPC, localhost). The code follows redirects by default, potentially moving the request to internal targets. The full response body is read into memory, creating a potential denial-of-service vector if a large file is targeted. The vulnerability is present in the `internal/handler/common/common.go`, `internal/service/common/common.go`, and `internal/util/http/http.go` components. **Recommendations** Versions prior to 4.2.8 should be updated to version 4.2.8 or later. Enforce an SSRF-safe URL policy, removing `InsecureSkipVerify` and implementing normal TLS verification. Limit redirects and add response size/timeout limits.

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.24.0-beta.1 Description The Signal K Server has an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. The endpoint, accessible via `PUT /signalk/v1/api/sourcePriorities`, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. Attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk. The vulnerable code is located in `src/serverroutes.ts` lines 1064-1076 within the source priorities configuration handler function. The issue stems from missing authentication, direct configuration assignment, persistent storage of malicious configuration, live configuration updates, and a lack of input validation. Recommendations Update Signal K Server to version 2.24.0-beta.1 or later.

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.24.0 Description Signal K Server, a server application used in boats, contains a flaw where a low-privileged authenticated user can bypass prototype boundary filtering to extract internal functions and properties from the global prototype object. This bypass occurs through manipulation of the `from` field in JSON-patch operations, specifically targeting the '/signalk/v1/applicationData/... JSON-patch endpoint. The vulnerability allows reading more data than intended, violating data isolation. The issue is due to a security guard that only checks the 'path' property of incoming JSON-patch objects, ignoring the 'from' property. The `copy` operation, using the `from` property, can target '/ proto /someProperty', bypassing the security check. The vulnerable code resides in 'src/interfaces/applicationData.js' (Lines 48-57) within the `hasPrototypePollutionPatch` function, which only validates the `path` property and not the `from` property. Recommendations Update Signal K Server to version 2.24.0 or later.

Name of the Vulnerable Software and Affected Versions: SignalK Server versions prior to 2.24.0 Description: SignalK Server contains a code-level issue in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions. The OIDC provider will then send the authorization code to the injected domain. The vulnerability is amplified by the official documentation recommending an Nginx configuration that forwards the vulnerable Host header. The issue affects the login handler in 'oidc-auth.ts' (lines 278-282) and the logout handler in 'oidc-auth.ts' (lines 513-515), both utilizing the attacker-controlled `host` header to construct redirect URIs. Recommendations: Update to SignalK Server version 2.24.0 or later.

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.24.0-beta.4 Description Signal K Server, a server application used in marine navigation systems, contains a privilege escalation issue. An unauthenticated attacker can exploit this to gain full Administrator access to the server. This is achieved through Admin Role Injection via the '/enableSecurity' API endpoint. Successful exploitation allows modification of sensitive vessel routing data, alteration of server configurations, and access to restricted endpoints. Recommendations Update Signal K Server to version 2.24.0-beta.4 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja (affected versions not specified) **Description** A flaw in the password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. A disabled user can request a reset token via the `/api/v1/user/password/token` endpoint and complete the reset using the `/api/v1/user/password/reset` endpoint, reactivating their account and bypassing administrator-imposed account disablement. The `RequestUserPasswordResetTokenByEmail` function fetches the user via `GetUserWithEmail()`, which does not filter out disabled users, allowing them to request a token. The vulnerable code is located in `pkg/user/user password reset.go`, beginning at line 66, where the `user.Status` is unconditionally set to `StatusActive`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.1.0 **Description** Vikunja, an open-source self-hosted task management platform, has a business logic flaw in its password reset mechanism within the `vikunja/api`. This allows password reset tokens to be reused indefinitely. The issue arises from a failure to invalidate tokens after use and a logic error in the token cleanup cron job, which prevents the removal of expired tokens. An attacker intercepting a single reset token can perform a persistent account takeover, bypassing standard authentication. The vulnerability stems from two distinct logic errors: the `ResetPassword` function incorrectly deletes `TokenEmailConfirm` tokens instead of `TokenPasswordReset` tokens, and the token cleanup cron job deletes new tokens instead of old ones. This results in an infinite attack window, allowing exploitation long after the token was initially issued. **Recommendations** Update to version 2.1.0.