ghsa

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.

### Summary A user with no view rights on a page may see the content of an office attachment displayed with the view file macro. ### Details If on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no matter the display type used. ### PoC 1. Install and activate the Pro Macros application 2. Create a page and limit the view rights for a test user 3. Add an attachment to the restricted page 4. Create a new public page 5. Add the view file macro and select the attachment from the restricted page using any display type 6. Login as the test user with restricted view rights 7. The user will see the content despite having no view rights ### Workarounds None ### Impact Private data can be leaked if a user knows the reference to an attachment and has edit rights on a page.

## Summary A **Boolean-Based Blind SQL Injection** vulnerability was identified in the LibreNMS application at the `/ajax_output.php` endpoint. The `hostname` parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. --- ## Details - **Vulnerable Endpoint:** `GET /ajax_output.php - **Parameter:** `hostname` - **Authentication Required:** Admin privileges required to access `/ajax_output.php` discovery endpoint - **Vulnerability type:** Boolean-Based Blind SQL Injection — input is concatenated into a SQL statement without proper escaping --- ## Description The LibreNMS application uses the `hostname` parameter during device discovery operations to query the database for matching devices. However, user-supplied data is concatenated directly into the SQL query within `/opt/librenms/includes/html/output/capture.inc.ph...

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TFA: from 0.0.0 before 2.0.6.

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0.