Whiteov3Rflow

**Name of the Vulnerable Software and Affected Versions** Strapi versions 4.0.0 through 4.26.0 Strapi versions 5.0.0 through 5.33.1 **Description** A database-query injection exists in the Content-Type Builder write API. An authenticated administrator can inject arbitrary database statements through the `column.defaultTo` attribute during the creation or modification of a content type. By setting `defaultTo` as a tuple `[value, { isRaw: true }]`, the value is passed directly into the `db.connection.raw()` function of Knex without sanitization, allowing arbitrary statement execution at the database layer. Depending on the database engine used, this can lead to arbitrary file reads via database utility functions, denial of service through forced server crashes during schema migration, or remote code execution against the database server on engines that permit external program execution. The issue affects the '/content-type-builder/content-types' endpoint and related write APIs. **Recommendations** Update versions 4.0.0 through 4.26.0 to 4.26.1. Update versions 5.0.0 through 5.33.1 to 5.33.2. Restrict access to the '/content-type-builder/content-types' endpoint and related write APIs to development mode only.

**Name of the Vulnerable Software and Affected Versions** Sylius versions 1.9.12 through 2.2.3 **Description** Sylius, an Open Source eCommerce Framework on Symfony, contains an authenticated stored cross-site scripting (XSS) issue in multiple areas of the shop frontend and admin panel. This is due to unsanitized entity names being rendered as raw HTML. Specifically, the issue affects shop breadcrumbs (shared/breadcrumbs.html.twig), the admin product taxon picker (ProductTaxonTreeController.js), and admin autocomplete fields (Tom Select). A malicious entity name, such as a taxon name containing `<img src=x onerror=alert('XSS')>`, can be injected and executed as JavaScript. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names, which is then persistently rendered for all users. The vulnerable code interpolates data directly into HTML templates without proper escaping. The issue impacts the rendering of labels in breadcrumbs, the `name` variable in the admin taxon picker, and entity names displayed in autocomplete fields. **Recommendations** Update to Sylius version 1.9.12 or later. Update to Sylius version 1.10.16 or later. Update to Sylius version 1.11.17 or later. Update to Sylius version 1.12.23 or later. Update to Sylius version 1.13.15 or later. Update to Sylius version 1.14.18 or later. Update to Sylius version 2.0.16 or later. Update to Sylius version 2.1.12 or later. Update to Sylius version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Sylius versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3 and above **Description** Sylius, an Open Source eCommerce Framework on Symfony, contains a Time-of-Check To Time-of-Use (TOCTOU) race condition in the promotion usage limit enforcement. This affects the global used counter on Promotion entities, the global used counter on PromotionCoupon entities, and the per-customer redemption count on PromotionCoupon entities. The vulnerability arises because eligibility checks read usage counters from memory while actual usage increments occur later without database-level locking or atomic operations. Concurrent requests can bypass usage limits due to Doctrine flushing absolute values instead of atomic increments and the lack of optimistic locking. An attacker can exploit this by submitting multiple orders with the same limited-use promotion or coupon simultaneously via the `'/api/v2/shop/orders/{token}/complete'` API endpoint. This allows a single-use promotion or coupon to be redeemed multiple times, potentially leading to financial loss. No authentication is required for exploitation. The vulnerable parameters include the `token` variable in the API endpoint. **Recommendations** Sylius version 1.9.12 and above Sylius version 1.10.16 and above Sylius version 1.11.17 and above Sylius version 1.12.23 and above Sylius version 1.13.15 and above Sylius version 1.14.18 and above Sylius version 2.0.16 and above Sylius version 2.1.12 and above Sylius version 2.2.3 and above

**Name of the Vulnerable Software and Affected Versions** Iris versions prior to 2.4.24 **Description** Iris is a web collaborative platform used by incident responders to share technical details during investigations. The DFIR-IRIS datastore file management system has an issue where authenticated users can delete arbitrary filesystem paths. This is due to mass assignment of the `file local name` field combined with a lack of path validation in the delete operation. The issue can be exploited through a three-step process: uploading a file, modifying the `file local name` field to point to a target filesystem path, and then triggering the delete operation. **Recommendations** Update Iris to version 2.4.24 or later.