Xbow-Security

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.27.1 GeoServer versions prior to 2.26.3 GeoServer versions prior to 2.25.7 GeoTools versions prior to 33.1 GeoTools versions prior to 32.3 GeoTools versions prior to 31.7 GeoTools versions prior to 28.6.1 GeoNetwork versions prior to 4.4.8 GeoNetwork versions prior to 4.2.13 **Description** The issue is related to the use of the Eclipse XSD library in the GeoTools Schema class, which is vulnerable to XML External Entity (XXE) exploit. This affects users who expose XML processing with gt-xsd-core involved in parsing when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler. This also impacts users of gt-wfs-ng DataStore where the ENTITY RESOLVER connection parameter was not being used as intended. **Recommendations** For GeoServer versions prior to 2.27.1, update to version 2.27.1 or later. For GeoServer versions prior to 2.26.3, update to version 2.26.3 or later. For GeoServer versions prior to 2.25.7, update to version 2.25.7 or later. For GeoTools versions prior to 33.1, update to version 33.1 or later. For GeoTools versions prior to 32.3, update to version 32.3 or later. For GeoTools versions prior to 31.7, update to version 31.7 or later. For GeoTools versions prior to 28.6.1, update to version 28.6.1 or later. For GeoNetwork versions prior to 4.4.8, update to version 4.4.8 or later. For GeoNetwork versions prior to 4.2.13, update to version 4.2.13 or later.

**Name of the Vulnerable Software and Affected Versions** TEIGarage versions prior to 1.2.4 **Description** The Document Conversion Service in TEIGarage contains a critical XML External Entity (XXE) Injection issue in its document conversion functionality. This allows an attacker to read arbitrary files from the server's filesystem, potentially exposing configuration files, credentials, or other confidential information. Depending on the server configuration, this could also be used to perform server-side request forgery (SSRF) attacks. **Recommendations** For versions prior to 1.2.4, update to version 1.2.4 to resolve the issue. As a temporary workaround, consider disabling external entity processing in the XML parser by setting the appropriate security features, such as `XMLConstants.FEATURE SECURE PROCESSING`.

**Name of the Vulnerable Software and Affected Versions** LocalS3 versions prior to 1.21 **Description** The issue concerns XML External Entity (XXE) injection in the bucket creation endpoint. When processing the CreateBucketConfiguration XML document, the service's XML parser resolves external entities without proper validation, allowing an attacker to declare an external entity that references an internal URL. This enables server-side request forgery (SSRF) attacks, making requests to internal services or resources that should not be accessible from external networks, and potentially leaking sensitive information. **Recommendations** For versions prior to 1.21, update to version 1.21 or later to resolve the issue. As a temporary workaround, consider restricting access to the bucket creation endpoint to minimize the risk of exploitation. Avoid using the CreateBucketConfiguration XML document with external entities until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GHOSTS versions 8.0.0.0 through 8.2.7.89 **Description** A path traversal vulnerability was discovered in GHOSTS that allows an attacker to access files outside of the intended directory through the photo retrieval endpoint. The vulnerability exists in the "/api/npcs/{id}/photo" endpoint, which is designed to serve profile photos for NPCs (Non-Player Characters) but fails to properly validate and sanitize file paths. When an NPC is created with a specially crafted `photoLink` value containing path traversal sequences (../, .., etc.), the application processes these sequences without proper sanitization. This allows an attacker to traverse directory structures and access files outside of the intended photo directory, potentially exposing sensitive system files. The vulnerability is particularly severe because it allows reading arbitrary files from the server's filesystem with the permissions of the web application process, which could include configuration files, credentials, or other sensitive data. **Recommendations** For GHOSTS versions 8.0.0.0 through 8.2.7.89, upgrade to version 8.2.7.90 to address the vulnerability. As a temporary workaround, consider restricting access to the "/api/npcs/{id}/photo" endpoint until the issue is resolved. Avoid using the `photoLink` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: ZOO-Project (affected versions not specified) Description: A vulnerability in the ZOO-Project's WPS implementation allows unauthorized access to files outside the intended directory through path traversal. Specifically, the Gdal Translate service, when processing VRT files, does not properly validate file paths referenced in the VRTRasterBand element, allowing attackers to read arbitrary files on the system. The vulnerability exists because the service doesn't properly sanitize the `SourceFilename` parameter in VRT files, allowing relative path traversal sequences (../). This allows reading arbitrary files as raw binary data and converting them to TIFF format, effectively exposing their contents. An unauthenticated attacker can read arbitrary files from the system through path traversal, potentially accessing sensitive information such as configuration files, credentials, or other confidential data stored on the server. Recommendations: To resolve the issue, all users are advised to upgrade to a version that includes the fix, as committed in `5f155a8`. As a temporary workaround, consider restricting access to the Gdal Translate service until the update is applied. Additionally, avoid using the `SourceFilename` parameter in VRT files until the issue is resolved. There are no known workarounds for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Label Studio versions prior to 1.16.0 Label Studio SDK versions prior to 1.0.10 Description: A path traversal vulnerability in Label Studio SDK allows unauthorized file access outside the intended directory structure. The flaw exists in the VOC, COCO, and YOLO export functionalities, which invoke a `download` function on the `label-studio-sdk` python package that fails to validate file paths when processing image references during task exports. By creating tasks with path traversal sequences in the image field, an attacker can force the application to read files from arbitrary server filesystem locations when exporting projects in any of the mentioned formats. This is an authentication-required vulnerability allowing arbitrary file reads from the server filesystem, potentially exposing sensitive information like configuration files, credentials, and confidential data. Recommendations: To mitigate this issue, Label Studio users should upgrade to version 1.16.0 or newer. As a temporary workaround, consider validating and sanitizing file paths, adding an allowlist of directories and file types, implementing file access controls, and using randomized file names and secure file storage abstraction. Restrict access to the vulnerable `download` function in the `label-studio-sdk` python package to minimize the risk of exploitation. Avoid using the `image` field in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Label Studio versions prior to 1.16.0 Description: Label Studio's S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the `s3 endpoint` parameter. This endpoint URL is passed directly to the boto3 AWS SDK without proper validation or restrictions on the protocol or destination. The vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint. When the storage sync operation is triggered, the application attempts to make S3 API calls to the specified endpoint, effectively making HTTP requests to the target service and returning the response in error messages. This SSRF vulnerability enables attackers to bypass network segmentation and access internal services that should not be accessible from the external network. The vulnerability is particularly severe because error messages from failed requests contain the full response body, allowing data exfiltration from internal services. Recommendations: To resolve the issue, update to version 1.16.0 or later, which contains a patch for the SSRF vulnerability. As a temporary workaround, consider implementing strict validation of S3 endpoint URLs to allow only valid S3 service endpoints, adding an allowlist of endpoint domains and protocols, and sanitizing error messages to prevent leakage of sensitive information from failed requests. Additionally, consider implementing network-level controls to restrict outbound connections from the application server.

Name of the Vulnerable Software and Affected Versions: Label Studio versions prior to 1.16.0 Description: The issue allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label config` query parameter at the `/projects/upload-example` endpoint. This enables Cross-Site Scripting (XSS) by rendering user-provided HTML content without proper sanitization. Although the application has a Content Security Policy (CSP), it is ineffective in preventing script execution because it is set in report-only mode. The vulnerability can be exploited by getting victims to visit a maliciously crafted URL, potentially allowing theft of sensitive data, session hijacking, or other malicious actions. Recommendations: For versions prior to 1.16.0, update to version 1.16.0 or later to resolve the issue. As a temporary workaround, consider enabling the Content Security Policy in enforcement mode instead of report-only mode to actively block unauthorized script execution. Restrict access to the `/projects/upload-example` endpoint to minimize the risk of exploitation. Avoid using the `label config` query parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZOO-Project versions prior to commit 7a5ae1a **Description** The issue is related to a reflected Cross-Site Scripting vulnerability in the ZOO-Project Web Processing Service (WPS) publish.py CGI script. This vulnerability occurs because the script reflects user input from the `jobid` parameter in its HTTP response without proper HTML encoding or sanitization, allowing an attacker to inject malicious JavaScript code. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. **Recommendations** As a temporary workaround, consider disabling the `jobid` parameter in the publish.py CGI script until a patch is available. Restrict access to the publish.py CGI script to minimize the risk of exploitation. Avoid using the `jobid` parameter in the affected endpoint until the issue is resolved. Update to a version that includes the fix provided in commit 7a5ae1a to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ZOO-Project versions prior to commit 7a5ae1a **Description** The ZOO-Project Web Processing Service (WPS) Server contains a Cross-Site Scripting (XSS) vulnerability in its EchoProcess service. The vulnerability exists because the EchoProcess service directly reflects user input in its output without proper sanitization when handling complex inputs. The service accepts various input formats including XML, JSON, and SVG, and returns the content based on the requested MIME type. When processing SVG content and returning it with the image/svg+xml MIME type, the server fails to sanitize potentially malicious JavaScript in attributes like `onload`, allowing arbitrary JavaScript execution in the victim's browser context. **Recommendations** For ZOO-Project versions prior to commit 7a5ae1a, update to a version that includes the fix committed in 7a5ae1a to resolve the issue. As a temporary workaround, consider disabling the EchoProcess service or restricting the handling of SVG content to minimize the risk of exploitation. Avoid using the EchoProcess service with SVG inputs until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: org.gaul S3Proxy versions prior to 2.6.0 Description: The issue affects users of the filesystem and filesystem-nio2 storage backends, potentially exposing local files to authenticated clients. This could lead to unauthorized access to sensitive information. There are no known workarounds for this issue. Recommendations: For versions prior to 2.6.0, upgrade to version 2.6.0 to resolve the issue. As a temporary workaround, consider restricting access to the filesystem and filesystem-nio2 storage backends until the upgrade is applied.

Name of the Vulnerable Software and Affected Versions: ZOO-Project (affected versions not specified) Description: A path traversal vulnerability was discovered in the Echo example of ZOO-Project, a C-based WPS (Web Processing Service) implementation. The Echo example, available by default in Zoo installs, implements file caching controlled by user-given parameters. Due to the lack of input validation in this parameter, an attacker can fully control the file returned in the response. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: EDDI (Enhanced Dialog Driven Interface) versions prior to 5.4 Description: A path traversal vulnerability exists in the backup export functionality of EDDI, as implemented in `RestExportService.java`. This vulnerability allows an attacker to access sensitive files on the server by manipulating the `botFilename` parameter in requests. The application fails to sanitize user input, enabling malicious inputs such as `..%2f..%2fetc%2fpasswd` to access arbitrary files. However, the severity of this vulnerability is significantly limited because EDDI typically runs within a Docker container, which provides additional layers of isolation and restricted permissions. As a result, while this vulnerability exposes files within the container, it does not inherently threaten the underlying host system or other containers. Recommendations: For versions prior to 5.4, upgrade to version 5.4, which contains the necessary patch to sanitize and validate the `botFilename` input parameter. As a temporary workaround, consider restricting access to the vulnerable endpoint through firewall rules or authentication mechanisms.