Zaddy6

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.82.0 **Description** A flaw in the Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. The software validates JWT (JSON Web Token) signatures using Microsoft's multi-tenant JWKS endpoint but fails to enforce the `aud` (audience) or `iss` (issuer) claims. Consequently, any Microsoft-signed Azure AD access token with the required scopes can authenticate to MDM endpoints. An attacker with access to any Azure AD tenant can use a valid token to enroll unauthorized devices and interact with MDM management APIs. Additionally, sensitive enrollment secrets embedded in MDM command payloads may be exposed during device management, potentially leading to further unauthorized access. **Recommendations** Update to version 4.82.0. As a temporary workaround, disable Windows MDM.

**Name of the Vulnerable Software and Affected Versions** Strapi versions prior to 5.33.3 **Description** Changing or resetting a user's password does not invalidate existing refresh-token sessions by default. In the users-permissions and admin authentication controllers, the invalidation process depends on a caller-supplied `deviceId`. If a password change or reset request is made without a `deviceId`, no refresh tokens are revoked, which keeps all previous sessions active. This allows an attacker with a previously obtained refresh token to continue generating new access tokens even after a password reset, enabling unauthorized access for the duration of the refresh token's lifetime, which is 30 days by default. **Recommendations** Update to version 5.33.3 or later.

**Name of the Vulnerable Software and Affected Versions** ERP versions up to 15.98.0 ERP versions 16.0.0-rc.1 through 16.6.0 **Description** Certain API endpoints in ERP lacked proper access validation, potentially allowing unauthorized access to documents. The issue affects versions up to 15.98.0 and 16.0.0-rc.1 through 16.6.0. The lack of authorization on APIs could allow unauthenticated attackers to access sensitive documents. **Recommendations** Update to version 15.98.1 or later. Update to version 16.6.1 or later.

**Name of the Vulnerable Software and Affected Versions** vLLM versions 0.10.1 through 0.13.x **Description** vLLM is an inference and serving engine for large language models (LLMs). The software loads Hugging Face `auto map` dynamic modules during model resolution without verifying `trust remote code`. This allows attacker-controlled Python code within a model repository or path to execute when the server starts. An attacker who can control the model repository or path can achieve arbitrary code execution on the vLLM host during model loading. This occurs before any request handling and does not require API access. The `auto map` resolution in `vllm/model executor/models/registry.py` and the execution of code through `get class from dynamic module` in `vllm/transformers utils/dynamic module.py` are relevant to this issue. **Recommendations** Upgrade to vLLM version 0.14.0 or later. Audit any custom Hugging Face models loaded in your ML pipeline.

**Name of the Vulnerable Software and Affected Versions** Docmost versions 0.3.0 through 0.23.2 **Description** Docmost is collaborative wiki and documentation software. Versions 0.3.0 through 0.23.2 are susceptible to stored Cross-Site Scripting (XSS) due to improper sanitization when rendering Mermaid code blocks. The `mermaid.render()` function is used to render diagrams, and the resulting SVG/HTML is injected into the Document Object Model (DOM) using `dangerouslySetInnerHTML` without appropriate sanitization. Mermaid’s `%%{init}%%` directives can override security settings and enable HTML labels, allowing arbitrary HTML and JavaScript execution for anyone viewing the diagrams. **Recommendations** Update to version 0.24.0 or later.

**Name of the Vulnerable Software and Affected Versions** @remix-run/react versions prior to 2.17.3 react-router versions 7.0.0 through 7.11.0 **Description** React Router, a router for React, contains a cross-site scripting (XSS) issue within the `<ScrollRestoration>` API when operating in Framework Mode during Server-Side Rendering (SSR). This flaw arises when utilizing the `getKey` or `storageKey` props, potentially enabling arbitrary JavaScript execution if untrusted content is used to generate the keys. The issue does not impact systems where server-side rendering in Framework Mode is disabled, or when using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). The vulnerability is triggered during SSR and could allow for the execution of malicious scripts. **Recommendations** @remix-run/react versions prior to 2.17.3 should be updated to version 2.17.3 or later. react-router versions 7.0.0 through 7.11.0 should be updated to version 7.12.0 or later.

**Name of the Vulnerable Software and Affected Versions** Flowise versions 3.0.5 and earlier **Description** The `forgot-password` endpoint returns sensitive information, including a valid password reset `tempToken`, without requiring authentication or verification. This allows a remote attacker to generate a reset token for any user and reset their password, leading to a complete account takeover (ATO). This issue affects both the cloud service (`cloud.flowiseai.com`) and self-hosted or local deployments. Specifically, the endpoint '/api/v1/account/forgot-password' accepts an email address and responds with user details and a `tempToken`, which can then be used in the '/api/v1/account/reset-password' endpoint to change the password. Over 11,000 vulnerable instances have been identified. **Recommendations** Update to version 3.0.6. Do not return reset tokens or sensitive account details in API responses; deliver tokens only via registered email. Configure the `forgot-password` endpoint to respond with a generic success message to prevent user enumeration. Implement strong validation for the `tempToken`, ensuring it is single-use, has a short expiry, is tied to the request origin, and is validated against email delivery. Log and monitor password reset requests for suspicious activity. Implement multi-factor verification for sensitive accounts.