ghsa

Please find POC file here https://trendmicro-my.sharepoint.com/:u:/p/kholoud_altookhy/IQCfcnOE5ykQSb6Fm-HFI872AZ_zeIJxU-3aDk0jh_eX_NE?e=zkN76d ZDI-CAN-28575: LibreNMS Alert Rule API Cross-Site Scripting Vulnerability -- CVSS ----------------------------------------- 4.3: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: LibreNMS - LibreNMS -- VULNERABILITY DETAILS ------------------------ * Version tested: 25.10.0 * Installer file: NA * Platform tested: NA --- ### Analysis LibreNMS Alert Rule API Stored Cross-Site Scripting # Overview Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. # Affected versions The latest version at the time of writing (25.10.0) is vulnerable. # Root cause When an alert rule is created or updated via the API, function `add_ed...

## Summary The download service (`download_service.py`) makes HTTP requests using raw `requests.get()` without utilizing the application's SSRF protection (`safe_requests.py`). This can allow attackers to access internal services and attempt to reach cloud provider metadata endpoints (AWS/GCP/Azure), as well as perform internal network reconnaissance, by submitting malicious URLs through the API, depending on the deployment and surrounding controls. **CWE**: CWE-918 (Server-Side Request Forgery) --- ## Details ### Vulnerable Code Location **File**: `src/local_deep_research/research_library/services/download_service.py` The application has proper SSRF protection implemented in `security/safe_requests.py` and `security/ssrf_validator.py`, which blocks: - Loopback addresses (127.0.0.0/8) - Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) - AWS metadata endpoint (169.254.169.254) - Link-local addresses However, `download_service.py` bypasses this protection by using ra...

Hi Fedify team! 👋 Thank you for your work on Fedify—it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Service (ReDoS) vulnerability that I'd like to report. I hope this helps improve the project's security. --- ## Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at `packages/fedify/src/runtime/docloader.ts:259` contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. **An attacker-controlled federated server can respond with a small (~170 bytes) malicious HTML payload that blocks the victim's Node.js event loop for 14+ seconds, causing a Denial of Service.** | Field | Value | |-------|-------| | **CWE** | CWE-1333 (Inefficient Regular Expression Complexity) | --- ## Details ### Vulnerable Code The vulnerability is located in `packages/fedify/src/runtime...

A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field.

A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.

### Impact `Schema.load(data, many=True)` is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. ### Patches 4.1.2, 3.26.2 ### Workarounds ```py # Fail fast def load_many(schema, data, **kwargs): if not isinstance(data, list): raise ValidationError(['Invalid input type.']) return [schema.load(item, **kwargs) for item in data] ```

### Impact An Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication. The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount. An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node's filesystem (where the KEDA pod resides) by directing the file's content to a server under their control, as part of the Vault authentication request. The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd. ### Patches The problem has been patched in v2.17.3 and 2.18.3 as well as in main branch. ### Workarounds The only effective workaround is the strict restriction of permissions for creating and mo...

### Impact n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. ### Patches This issue has been fixed in **n8n v1.122.0**. Users are strongly advised to upgrade to version **1.122.0 or later**, which introduces additional safeguards to restrict expression evaluation. ### Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation...

### Summary A Server-Side Request Forgery (SSRF) vulnerability in Cowrie's emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts. ### Details When Cowrie operates in emulated shell mode (the default configuration), it basically emulates common Linux commands. The `wget` and `curl` command emulations actually perform real outbound HTTP requests to the destinations specified by the attacker, as this functionality is intended to allow Cowrie to save downloaded files for later inspection. An attacker who connects to the honeypot via SSH or Telnet can repeatedly invoke these commands targeting a victim host. Since there was no rate limiting mechanism in place, the attacker could generate unlimited outbound HTTP traffic toward the victim. The requests originate from the honeypot's IP address, effectively masking the attacker's identity and turning the honeypot into...