Yuremin

**Name of the Vulnerable Software and Affected Versions** Traccar versions prior to 6.13.0 **Description** An authorization bypass exists in the GPS tracking system where the 'DeviceResource.uploadImage' endpoint fails to invoke the `permissionsService.checkEdit()` function. While the system uses `Condition.Permission(User.class, getUserId(), Device.class)` for initial authorization, it skips the guard that enforces readonly and deviceReadonly restrictions for non-admin users. This allows an unauthorized user to replace a device's stored image file within the server media directory, modifying UI-visible media and affecting downstream workflows that rely on the persisted image. **Recommendations** Update to version 6.13.0.

**Name of the Vulnerable Software and Affected Versions** MaxKB versions prior to 2.8.1 **Description** Broken access control exists in the OSS file service URL fetch API endpoint "chat/api/oss/get url". The system uses the `application id` variable from the URL path without validating ownership, which allows attackers to perform operations under the policies of other applications. **Recommendations** Update to version 2.8.1.

**Name of the Vulnerable Software and Affected Versions** MaxKB versions prior to 2.8.1 **Description** An issue exists in the OSS file service URL fetch functionality where inconsistent DNS resolution occurs between the validation phase and the actual request execution. This allows for a server-side request forgery (SSRF) bypass, enabling attackers to access internal network services. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location. **Recommendations** Update to version 2.8.1.

**Name of the Vulnerable Software and Affected Versions** OneDev versions prior to 15.0.2 **Description** OneDev is a Git server featuring CI/CD, kanban, and packages. A flaw exists where the boundary between repository-controlled LFS (Large File Storage) metadata and server-local filesystem paths is breached. This allows a repository object to redirect raw blob reads to arbitrary local files accessible by the server account. Consequently, any user with push permissions to a repository can access any server files that the server process has permission to read. **Recommendations** Update to version 15.0.2.

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without sufficient boundary validation to ensure it remains within the intended library directory. This vulnerability is fixed in 2.32.2.

**Name of the Vulnerable Software and Affected Versions** Beets versions prior to 2.10.0 **Description** The bundled web UI uses Underscore template interpolation mode `<%= ... %>` for untrusted metadata fields. In this runtime, `<%= ... %>` performs raw insertion, whereas HTML escaping is only handled by `<%- ... %>`. The rendered output is then inserted using `.html(...)`, which allows attacker-controlled markup to become active DOM, leading to Cross-Site Scripting (XSS), a condition where malicious scripts are injected into trusted websites. **Recommendations** Update to version 2.10.0.

**Name of the Vulnerable Software and Affected Versions** electerm versions prior to 3.3.8 **Description** A command injection issue exists in the `runMac()` function within the file `github.com/elcterm/electerm/npm/install.js:150`. The function appends the remote `releaseInfo.name` variable, which can be controlled by an attacker, directly into an `exec("open ...")` command without proper validation. This affects users running `npm install -g electerm` on Mac OS. An attacker capable of controlling the remote release metadata served by the project's update server could execute arbitrary system commands, tamper with local files, and compromise development or runtime assets. **Recommendations** Update to version 3.3.8.