Vicevirus

**Name of the Vulnerable Software and Affected Versions** Kestra versions prior to 1.1.10 **Description** Kestra is an event-driven orchestration platform. Versions 1.1.10 and earlier render user-supplied Markdown (.md) files with markdown-it configured to interpret Markdown as HTML and then inject the resulting HTML using Vue’s `v-html` directive without sanitization. This can lead to potential issues with the display of user-provided content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.30.4 **Description** Budibase, a low-code platform for creating internal tools, workflows, and admin panels, contains an unsafe `eval()` vulnerability in its view filtering implementation. This issue affects Budibase Cloud (SaaS) deployments only; self-hosted deployments using native CouchDB views are not vulnerable. The vulnerability resides in `packages/server/src/db/inMemoryView.ts`, where user-controlled view map functions are directly evaluated without sanitization. An authenticated user, even with a free tier account, can execute arbitrary JavaScript code on the server. The `app-service` pod runs with sensitive information in its environment variables, including `INTERNAL API KEY`, `JWT SECRET`, CouchDB admin credentials, and AWS keys. Exploitation allows access to the CouchDB database, enumeration of tenant databases, and retrieval of user records, such as email addresses. The vulnerability is triggered through the view filter mechanism, where a malicious filter value can inject JavaScript code. The `view.map` parameter, originating from user input when creating table views with filters, is concatenated with a string and passed to `eval()`, enabling arbitrary JavaScript execution. **Recommendations** Update Budibase to version 3.30.4 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle (affected versions not specified) **Description** A flaw exists in the TeX filter administrative settings due to inadequate input sanitization, potentially leading to command injection. This issue affects systems with the TeX filter enabled and ImageMagick installed. A specially crafted setting value provided by an administrator could allow for unintended system command execution. While administrative privileges are required for exploitation, a successful compromise could impact the entire Moodle server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 146.0.7680.71 **Description** A flaw exists in Google Chrome’s Clipboard functionality due to insufficient policy enforcement. This could allow a remote attacker who has compromised the renderer process to leak cross-origin data through a specially crafted HTML page. **Recommendations** Update Google Chrome to version 146.0.7680.71 or later.

**Name of the Vulnerable Software and Affected Versions** CodeIgniter versions prior to 4.6.2 **Description** CodeIgniter is a PHP full-stack web framework susceptible to a command injection issue. The vulnerability impacts applications utilizing the ImageMagick handler (`imagick`) for image processing and either permitting file uploads with user-defined filenames processed via the `resize()` method or employing the `text()` method with user-controlled text or options. An attacker can exploit this by uploading a file with a malicious filename containing shell metacharacters, which are executed during image processing, or by providing malicious text content or options that are executed when adding text to images. Approximately 2,254,632 systems are potentially affected worldwide. **Recommendations** Upgrade to version 4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`), which is not affected. For file upload scenarios, generate random filenames using `getRandomName()` with the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, sanitize user-controlled text input to allow only safe characters and validate/restrict text options.

Name of the Vulnerable Software and Affected Versions: Octo-STS versions prior to v0.5.3 Description: Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. The issue allows for unauthenticated Server-Side Request Forgery (SSRF) by abusing fields in OpenID Connect tokens. Malicious tokens can trigger internal network requests, which could reflect error logs containing sensitive information. Recommendations: Upgrade to v0.5.3 to resolve this issue, as this version includes patch sets to sanitize input and redact logging.

**Name of the Vulnerable Software and Affected Versions** TeX Live (affected versions not specified) **Description** The issue is related to insufficient sanitizing in the TeX notation filter, which poses an arbitrary file read risk on sites where pdfTeX is available. This typically affects systems with TeX Live installed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** changedetection.io versions prior to 0.48.05 **Description** The issue is related to improper input validation in the application, which can allow attackers to perform local file read (LFR) or path traversal attacks. These attacks occur when user input is used to construct file paths without adequate sanitization or validation. For example, using `file:../../../etc/passwd` or `file: ///etc/passwd` can bypass weak validations and allow unauthorized access to sensitive files. The vulnerability is exploited by using specific input, such as `file:../../../../etc/passwd` or `file: ///etc/passwd` (with space before /), to bypass insufficient checks in the code. **Recommendations** For changedetection.io versions prior to 0.48.05, update to version 0.48.05 to fix the issue. As a temporary workaround, consider restricting the use of the `file:` protocol in the application to minimize the risk of exploitation. Avoid using the `file:` protocol with untrusted input until the issue is resolved.