Yotampe-Pluto

**Name of the Vulnerable Software and Affected Versions** Nginx UI versions prior to 2.3.8 **Description** The GetSettings API handler in the `api/settings/settings.go` file serializes all settings structs to JSON and returns them to authenticated users. While many sensitive fields are marked as protected, this restriction is only applied during write operations via the `SaveSettings` function and is ignored during read operations. This results in the exposure of over 40 protected fields, including `JwtSecret`, which allows for authentication token forgery; `NodeSecret`, which enables cluster node impersonation; `OIDC ClientSecret`, which allows for OAuth account takeover; and the IP whitelist configuration. **Recommendations** Update to version 2.3.8.

**Name of the Vulnerable Software and Affected Versions** Nginx UI versions prior to 2.3.6 **Description** An authentication bypass exists in the Model Context Protocol (MCP) integration of Nginx UI. The software exposes two HTTP endpoints: '/mcp' and '/mcp message'. While '/mcp' requires both IP whitelisting and authentication via the `AuthRequired()` middleware, the '/mcp message' endpoint only applies IP whitelisting. Because the default IP whitelist is empty, the middleware treats this as "allow all," permitting any network attacker to invoke MCP tools without authentication. Additionally, the '/api/mcp/invoke' endpoint fails to verify session tokens. This flaw allows remote attackers to achieve complete takeover of the Nginx service by performing actions such as restarting Nginx, creating, modifying, or deleting configuration files, and triggering automatic configuration reloads. Approximately 2,689 exposed instances have been identified worldwide, with active exploitation confirmed in the wild. **Recommendations** Update to Nginx UI version 2.3.6 immediately. As a temporary workaround, disable the Nginx UI service entirely or block access to the management port at the network firewall.

**Name of the Vulnerable Software and Affected Versions** ha-mcp versions prior to 7.0.0 **Description** ha-mcp is a Home Assistant MCP Server. Prior to version 7.0.0, the OAuth consent form renders user-controlled parameters using Python f-strings without proper HTML escaping. This allows an attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL to execute JavaScript in the operator's browser. This issue only affects users running the beta OAuth mode (`ha-mcp-oauth`), which requires explicit configuration and is not part of the standard setup. The vulnerability resides in the rendering of parameters like `client name`, `client id`, `redirect uri`, `state`, `error message`, `error`, and `error description` within the `consent form.py` file. An attacker can register a malicious client via the `/register` endpoint and then exploit the lack of HTML escaping to execute a JavaScript payload when the server operator visits a crafted authorization URL. The attack requires convincing the server operator to authorize an unfamiliar application. Successful exploitation could lead to the exfiltration of data entered into the consent form, including the Home Assistant Long-Lived Access Token. **Recommendations** Upgrade to version 7.0.0.

**Name of the Vulnerable Software and Affected Versions** ha-mcp versions prior to 7.0.0 **Description** ha-mcp is a Home Assistant MCP Server. The ha-mcp OAuth consent form (beta feature) accepts a user-supplied `ha url` and makes a server-side HTTP request to `{ha url}/api/config` without URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network reconnaissance via an error oracle. Two additional code paths in OAuth tool calls (REST and WebSocket) are affected by the same issue. The primary deployment method (private URL with pre-configured `HOMEASSISTANT TOKEN`) is not affected. The issue allows an attacker to map reachable hosts and open ports from the server's network position. The vulnerability is present in the consent form validation, REST tool calls with forged tokens, and WebSocket tool calls with forged tokens. The REST tool calls make HTTP requests to hardcoded HA API paths on the provided host. The WebSocket tool calls attempt to establish WebSocket connections to `{ha url}/api/websocket`. **Recommendations** Upgrade to version 7.0.0.

**Name of the Vulnerable Software and Affected Versions** mcp-memory-service versions prior to 10.25.1 **Description** mcp-memory-service is an open-source memory backend for multi-agent systems. When the HTTP server is enabled (`MCP HTTP ENABLED=true`), the application configures FastAPI's CORSMiddleware with `allow origins=['*']`, `allow credentials=True`, `allow methods=["*"]`, and `allow headers=["*"]`. The wildcard `Access-Control-Allow-Origin: *` header permits any website to read API responses cross-origin. When combined with anonymous access (`MCP ALLOW ANONYMOUS ACCESS=true`), any malicious website can silently read, modify, and delete all stored memories. The vulnerability is compounded by factors such as binding to all interfaces (`HTTP HOST = '0.0.0.0'`), lack of TLS (`HTTPS ENABLED = 'false'`), and the use of an API key via a query parameter which is cached in browser history and server logs. The issue allows complete cross-origin memory access, memory tampering, and silent exfiltration of data. The attack works by a malicious webpage sending a `fetch` request to the API endpoint without any credentials, and the server responding with the `Access-Control-Allow-Origin: *` header, allowing the browser to expose the response to the attacker's JavaScript. **Recommendations** Versions prior to 10.25.1: Replace the wildcard default for `MCP CORS ORIGINS` with an explicit localhost origin. For example, set `CORS ORIGINS = 'http://localhost:8000,http://127.0.0.1:8000'`. Also, set `allow credentials=False` unless specific origins are configured.

**Name of the Vulnerable Software and Affected Versions** mcp-memory-service versions prior to 10.21.0 **Description** The `/api/health/detailed` endpoint in mcp-memory-service exposes sensitive system information, including OS version, Python version, CPU count, memory details, disk usage, and the full database filesystem path. This exposure occurs when `MCP ALLOW ANONYMOUS ACCESS` is enabled, which is required for HTTP server functionality without authentication. Combined with the default `0.0.0.0` binding, this allows unauthenticated access to this information from the entire network. The exposed data can be used for OS fingerprinting, path disclosure, resource enumeration, and reconnaissance, potentially enabling targeted attacks. The vulnerable code resides in `health.py` lines 90-101 for system information collection and lines 131-132 for database path disclosure. The authentication bypass occurs because the `require read access` function calls `get current user`, which grants access when `MCP ALLOW ANONYMOUS ACCESS` is true. The exposed fields include `platform`, `platform version`, `python version`, `cpu count`, `memory total gb`, `database path`, and `database size mb`. An attacker can scan the network, access the `/api/health/detailed` endpoint without credentials, and use the gathered information to target known vulnerabilities or profile the system for further attacks. **Recommendations** Versions prior to 10.21.0 should implement the following: Remove system details from the default health endpoint, returning only `status`, `version`, and `uptime`. Do not expose the `database path` to prevent filesystem structure disclosure. Add authentication to the basic `/health` endpoint or limit it to status-only information. Bind the service to `127.0.0.1` by default to prevent network-based reconnaissance.

**Name of the Vulnerable Software and Affected Versions** mcp-atlassian (affected versions not specified) **Description** The software contains a critical unauthenticated remote code execution (RCE) and server-side request forgery (SSRF) issue. The RCE is a result of arbitrary file write, leading to arbitrary code execution via an unconstrained `download path` in the `confluence download attachment` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MCP Atlassian versions prior to 0.17.0 **Description** MCP Atlassian is a Model Context Protocol (MCP) server used with Atlassian products like Confluence and Jira. Prior to version 0.17.0, an unauthenticated attacker reaching the mcp-atlassian HTTP endpoint can make the server send HTTP requests to a URL controlled by the attacker by providing specific HTTP headers without an `Authorization` header. This occurs in the HTTP middleware and dependency injection layer. In cloud environments, this could lead to the theft of IAM role credentials through the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment, it allows for internal network reconnaissance and the injection of attacker-controlled content into LLM tool results. The issue is related to the absence of required authentication checks for specific HTTP requests. **Recommendations** Versions prior to 0.17.0 should be updated to version 0.17.0 or later.