ghsa

## Summary When a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. ## Details The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. ## Impact **Affected:** Server-side applications (APIs, proxies, backend services) that: - Use axios-cache-interceptor to cache requests to upstream services - Handle requests from multiple users with different auth tokens - Upstream services replies on `Vary` to differentiate caches **Not affected:** Browser/client-side applications (single user per browser session). Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking use...

A NestJS application is vulnerable if it meets all of the following criteria: 1. Platform: Uses `@nestjs/platform-fastify`. 2. Security Mechanism: Relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()` 3. Routing: Applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`). Example Vulnerable Config: ```ts // app.module.ts export class AppModule implements NestModule { configure(consumer: MiddlewareConsumer) { consumer .apply(AuthMiddleware) // Security check .forRoutes('admin'); // Vulnerable: Path-based restriction } } ``` Attack Vector: - Target Route: `/admin` - Middleware Path: `admin` - Attack Request: `GET /%61dmin` - Result: Middleware is skipped (no match on `%61dmin`), but controller for `/admin` is executed. Consequences: - Authentication Bypass: Unauthenticated users can access protected routes. - Authorization Bypass: Restri...

### Summary An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. ### Details The endpoint `/api/setup/backup` is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file. Relevant code paths: - Rewrite rule exposing the endpoint: - `phpmyfaq/.htaccess`: `RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA]` - Controller implementation: - `phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.php` → `backup...

### Summary Picklescan uses _operator.attrgetter, which is a built-in python library function to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the _operator.attrgetter function in the reduce method. - Then, when the victim, after checking whether the pickle file is safe by using the Picklescan library and finding that this library doesn't detect any dangerous functions, decides to call pickle.load() on this malicious pickle file, it leads to remote code execution. ### PoC ``` import pickle import pickletools opcode3 = b'''cbuiltins __import__ (Vos tRp0 0c_operator attrgetter (Vsystem tR(g0 tR(Vecho "pwned by _operator.attrgetter" tR.''' pickletools.dis(opcode3) pickle.loads(opcode3) ``` This PoC can't be easily create by pickle.dumps, so it was manually built. ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attac...

### Summary Picklescan uses _operator.methodcaller, which is a built-in python library function to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling to _operator.methodcaller function in reduce method - Then when after the victim after checks whether or not the pickle file is safe by using Picklescan library and the library doesn't dectect any dangerous functions, pickle.load() loads this malicious pickle file, thus lead to remote code execution. ### PoC ``` import pickle import pickletools opcode2 = b'''cbuiltins __import__ (Vos tRp0 0c_operator methodcaller (Vsystem Vecho "pwned by _operator.methodcaller" tR(g0 tR.''' pickletools.dis(opcode2) pickle.loads(opcode2) ``` This PoC can't be easily create by pickle.dumps, so it was manually built. ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can embed mali...

### Summary Picklescan uses the `numpy.f2py.crackfortran._eval_length` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling. ### Details Picklescan fails to detect a malicious pickle that uses the gadget `numpy.f2py.crackfortran._eval_length` in `__reduce__`, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution. ### PoC ```python class PoC: def __reduce__(self): from numpy.f2py.crackfortran import _eval_length return _eval_length, ("__import__('os').system('whoami')", None) ``` ### Impact - Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file. - Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts. - Enables supply‑chain poisoning of shared model files. ### Credits - [ac0d3r](https://github.c...

### Summary Picklescan uses the `numpy.f2py.crackfortran.getlincoef` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling. ### Details Picklescan fails to detect a malicious pickle that uses the gadget `numpy.f2py.crackfortran.getlincoef` in `__reduce__`, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution. ### PoC ```python class PoC: def __reduce__(self): from numpy.f2py.crackfortran import getlincoef return getlincoef, ("__import__('os').system('whoami')", None) ``` ### Impact - Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file. - Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts. - Enables supply‑chain poisoning of shared model files. ### Credits - [ac0d3r](https://github.com/ac0d3...

> [!NOTE] > Message from the Pterodactyl team: > > The Pterodactyl team has evaluated this as a minor security issue but does not consider it something that should be assigned a CVE, nor does it require active patching by vulnerable systems. > > This issue is entirely self-inflicted and requires an administrative user paste an _obviously_ incorrect value into a database host field, submit it, and run into the XSS when the error message is rendered. However, we have determined that this fix is good security hygiene and may prevent issues in other areas not yet discovered. ### Summary When an administrative user creates a new database host they are prompted to provide a `Host` value which is expected to be a domain or IP address. When an invalid value is encountered and passed back to `gethostaddr` and/or directly to the MySQL connection tooling, an error is returned. This error is then passed back along to the front-end, but was not properly sanitized when rendered. Therefore it is po...

### Summary Picklescan uses numpy.f2py.crackfortran.param_eval, which is a function in numpy to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.param_eval function via reduce method. - Then, when the victim checks whether the pickle file is safe by using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution. ### PoC ``` class RCE: def __reduce__(self): from numpy.f2py.crackfortran import param_eval return (param_eval,("os.system('ls')",None,None,None)) ``` ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Attackers can distrib...

### Summary A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose **display name** contains HTML entities (e.g., `<img ...>`). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. ### Details Root cause is the following chain: - **User-controlled input stored**: attacker-provided `display_name` (real name) is stored in DB (often as HTML entities, e.g., `<img ...>`). - **Decode on read**: `phpmyfaq/src/phpMyFAQ/User/UserData.php` decodes `display_name` using `html_entity_decode(...)` (“for backward compatibility”). - **Unsafe sink**: admin user list renders the decoded value unescaped using Twig `|raw`: - `phpmyfaq/assets/templates/admin/user/users.twig` (users table uses `{{ user.display_name|raw }}`) As a result, an entity-encoded payload becomes active ...