#vulnerability

### Details There's a parsing logic error in picklescan and modelscan while trying to deal with opcode `STACK_GLOBAL`. Function `_list_globals` when handling `STACK_GLOBAL` at position `n`, it is expected to track two arguments but in wrong range. The loop only consider the range from `1` to `n-1` but forgets to consider the opcode at position `0`. The correct range should be `0` to `n-1`. Attacker can put arg in position `0`, thus the parser can only tract one argument. Then, the exception https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281 will be triggered. Thus it can cause detection bypass since the malicious pickle file will trigger unexpected exceptions. Example: ``` 0: S STRING 'os' --> arg 0: STRING (untracked argument due to wrong scanning range) 6: S STRING 'system' --> arg 1: STRING (tracked argument) 16: \x93 STACK_GLOBAL 17: S STRING 'ls' 23: \x85 TUPLE1 24: R RE...

### Summary The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage. ### Details - Affected file：https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271 - Affected code: ```python @style.queue def update_link_info(self, data): """ data is list of tuples (name, size, status, url) """ self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, ) ids = [] statuses = "','".join(x[3] for x in data) self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')") for r in self.c: ids.append(int(r[0])) return ids ```` statuses is constructed from data, and data is the value of the add_links parameter entered by the user through /json/add_packge. Because `{statuses}` is directly spliced into th...

### Summary Logic error in 2FA verification condition allows bypass of two-factor authentication ### Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/login.go#L55 There is no way for `Verify2Fa` to return an error **AND** true as `ok` at the same time, any codes are considered as valid. ### PoC Use any 6 digits as 2FA code ### Impact Bypass 2FA Authentication

### Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users ### Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.go#L33-L35 Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution ### PoC 1. Login in to your komari instance 2. Hosting the following HTML code on internet, replace `<komari-addr>` and `<target-uuid>` into yours 3. Visit this HTML page, you can see your node is executing `uptime` without your actions ``` <pre></pre> <script> const socket = new WebSocket("wss://<komari-addr>/api/admin/client/<target-uuid>/terminal"); socket.addEventListener("open", (event) => { const binaryBlob = new Blob(['uptime\n'], { type: 'application/octet-stream' }); socket.send(binaryBlob); }); socket.addEventListener("message", (event) => { event.data.text().then(x ...

### Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with `target="_blank"` but without the `rel="noopener noreferrer"` attribute. This allows the opened page to use the `window.opener` property to change the location of the original HFS tab. ### Details While most modern browsers have fixes already implemented for this `target="_blank"` exploit at the browser level, users on outdated browsers remain vulnerable. This means that if an admin of the HFS instance adds a link to an external third-party service (that they believe is safe at the time) and that service they added later becomes compromised, the malicious page could replace the original HFS tab's content with a phishing page. This does not require the admin account itself to be compromised, only that a legitimate linked site turns malicious. ### Impact Affected users (people using old browsers without the browser level fix) could be misled into entering their HFS credentials or other sensit...

### Impact The `get_disjoint_mut` method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes. ### Patches This has been fixed in slab v0.4.11. ### Workarounds Avoid using `get_disjoint_mut` with indices that might be beyond the slab's actual length, or upgrade to v0.4.11 or later. ### References - [https://github.com/tokio-rs/slab/pull/152](https://github.com/tokio-rs/slab/pull/152)

Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the update channel subscription endpoint with an invalid request body.

Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.

Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the server webhook endpoint with an invalid request body.

Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allow\ing attackers to crash the plugin via constant hits to the server webhook endpoint with an invalid request body.