ghsa

### Project Address: Project Address [1Panel](https://github.com/1Panel-dev/1Panel) ### Official website: https://www.1panel.cn/ ### Time: 2025 07 26 ### Version: 1panel V2.0.5 ### Vulnerability Summary - First, we introduce the concepts of 1panel v2 Core and Agent. After the new version is released, 1panel adds the node management function, which allows you to control other hosts by adding nodes. - The HTTPS protocol used for communication between the Core and Agent sides did not fully verify the authenticity of the certificate during certificate verification, resulting in unauthorized interfaces. The presence of a large number of command execution or high-privilege interfaces in the 1panel led to RCE.  ### Code audit process 1. First we go to the Agent HTTP routing fileagent/init/router/router.go  2. It was foun...

### Summary A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with `../` sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. **✅ After investigation, it is confirmed that no plugins on the [Catalog](https://plugins.traefik.io/plugins) were affected. There is no known impact.** ### Details The vulnerability resides in the WASM plugin extraction logic, specifically in the `unzipFile` function (`/plugins/client.go`). The application constructs file paths during ZIP extraction using `filepath.Join(destDir, f.Name)` without validating or sanitizing `f.Name`. If the ZIP archive contains entries with `../`, the resulting path can escape the intended directory, allowing writes to arbitrary locations on the host filesystem....

### Summary Nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" depth. ### Details The MaterialX [specification](https://github.com/AcademySoftwareFoundation/MaterialX/blob/main/documents/Specification/MaterialX.Specification.md#mtlx-file-format-definition) supports importing other files by using `XInclude` tags. When parsing file imports, recursion is used to process nested files in the form of a tree with the root node being the first MaterialX files parsed. However, there is no limit imposed to the depth of files that can be parsed by the library, therefore, by building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion. ### PoC This test is going to employ Windows UNC paths, in order to make the Proof Of Concept more realistic. In fact, by using windows network shares, an attacker would be able t...

### Summary When parsing an MTLX file with multiple nested `nodegraph` implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. ### Details By specification, multiple kinds of elements in MTLX support nesting other elements, such as in the case of `nodegraph` elements. Parsing these subtrees is implemented via recursion, and since there is no max depth imposed on the XML document, this can lead to a stack overflow when the library parses an MTLX file with an excessively high number of nested elements. ### PoC Please download the `recursion_overflow.mtlx` file from the following link: https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009 `build/bin/MaterialXView --material recursion_overflow.mtlx` ### Impact An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file.

The `num2words` project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected versions have been removed from PyPI, and users are advised to remove the affected versions from their environments.

### Summary The OpenEXR file format defines many information about the final image inside of the file header, such as the size of data/display window. The application trusts the value of `dataWindow` size provided in the header of the input file, and performs computations based on this value. This may result in unintended behaviors, such as excessively large number of iterations and/or huge memory allocations. ### Details A concrete example of this issue is present in the function `readScanline()` in `ImfCheckFile.cpp` at line 235, that performs a for-loop using the `dataWindow min.y` and `max.y` coordinates that can be arbitrarily large. ```cpp in.setFrameBuffer (i); int step = 1; // // try reading scanlines. Continue reading scanlines // even if an exception is encountered // for (int y = dw.min.y; y <= dw.max.y; y += step) // <-- THIS LOOP IS EXCESSIVE BECAUSE OF DW.MAX { try { in.readPixels (y); } catch (...) { threw = true; // ...

### Summary When reading a deep scanline image with a large sample count in `reduceMemory` mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. ### Details In the `ScanLineProcess::run_fill` function, implemented in `src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp`, the following code is used to write the `fillValue` in the sample buffer: ```cpp switch (fills.type) { case OPENEXR_IMF_INTERNAL_NAMESPACE::UINT: { unsigned int fillVal = (unsigned int) (fills.fillValue); unsigned int* fillptr = static_cast<unsigned int*> (dest); for ( int32_t s = 0; s < samps; ++s ) fillptr[s] = fillVal; // <--- POTENTIAL CRASH HERE break; } ``` However, when `reduceMemory` mode is enabled in the `readDeepScanLine` function in `src/lib/Open...

### Summary The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. ### Details In the `LossyDctDecoder_execute` function (from `src/lib/OpenEXRCore/internal_dwa_decoder.h`, when SSE2 is enabled), the following code is used to copy data from the chunks: ```cpp // no-op conversion to linear for (int y = 8 * blocky; y < 8 * blocky + maxY; ++y) { __m128i* restrict dst = (__m128i *) chanData[comp]->_rows[y]; __m128i const * restrict src = (__m128i const *)&rowBlock[comp][(y & 0x7) * 8]; for (int blockx = 0; blockx < numFullBlocksX; ++blockx) { _mm_storeu_si128 (dst, _mm_loadu_si128 (src)); // src += 8 * 8; // <--- si128 pointer incremented as a uint16_t dst += 8; } } ``` The issue arises because the `src` pointer, which is a `si128` pointer, is incremented by `8*8`, as if it were a `uint16_t` pointer...

### Summary The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. ### Details When parsing `STORAGE_DEEP_SCANLINE` chunks from an EXR file, the following code (from `src/lib/OpenEXRCore/chunk.c`) is used to extract the chunk information: ```cpp if (part->storage_mode == EXR_STORAGE_DEEP_SCANLINE) // SNIP... cinfo->sample_count_data_offset = dataoff; cinfo->sample_count_table_size = (uint64_t) ddata[0]; cinfo->data_offset = dataoff + (uint64_t) ddata[0]; cinfo->packed_size = (uint64_t) ddata[1]; cinfo->unpacked_size = (uint64_t) ddata[2]; // SNIP... ``` By storing this information, the code that will later decompress and reconstruct the chunk bytes, will know how much space the uncompressed data will occupy. This size is carried along in the chain of decoding/decompression...

A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, leading to arbitrary JavaScript execution in admin browsers.