Vulnerabilidades

Se ha detectado una vulnerabilidad de seguridad en Alixhan xh-admin-backend hasta la versión 1.7.0. Este problema afecta a un procesamiento desconocido del archivo /frontend-api/system-service/api/system/role/query del componente Manejador de Consultas de Base de Datos. Dicha manipulación del argumento prop conduce a una inyección SQL. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado. Se contactó pronto con el proveedor sobre esta divulgación pero no respondió de ninguna manera.

*** Pendiente de traducción *** Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Se ha identificado una debilidad en FascinatedBox lily hasta la versión 2.3. Esta vulnerabilidad afecta la función count_transforms del archivo src/lily_emitter.c. Esta manipulación causa una lectura fuera de límites. El ataque solo puede ejecutarse localmente. El exploit se ha puesto a disposición del público y podría usarse para ataques. El proyecto fue informado del problema tempranamente a través de un informe de problema, pero aún no ha respondido.

Se ha descubierto una falla de seguridad en Squirrel hasta 3.2. Esto afecta a la función SQObjectPtr::operator en la biblioteca squirrel/sqobject.h. Su manipulación resulta en un desbordamiento de búfer basado en montículo. El ataque necesita ser abordado localmente. El exploit ha sido liberado al público y puede ser utilizado para ataques. Se informó pronto al proyecto del problema a través de un informe de incidencias, pero no ha respondido aún.

*** Pendiente de traducción *** InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. a path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

*** Pendiente de traducción *** A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.

*** Pendiente de traducción *** A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.

*** Pendiente de traducción *** A vulnerability was identified in FascinatedBox lily up to 2.3. Affected by this issue is the function shorthash_for_name of the file src/lily_symtab.c. The manipulation leads to use after free. Local access is required to approach this attack. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

*** Pendiente de traducción *** Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

*** Pendiente de traducción *** The BSV Blockchain SDK is a unified TypeScript SDK for developing scalable apps on the BSV Blockchain. Prior to version 2.0.0, a cryptographic vulnerability in the TypeScript SDK's BRC-104 authentication implementation caused incorrect signature data preparation, resulting in signature incompatibility between SDK implementations and potential authentication bypass scenarios. The vulnerability was located in the `Peer.ts` file of the TypeScript SDK, specifically in the `processInitialRequest` and `processInitialResponse` methods where signature data is prepared for BRC-104 mutual authentication. The TypeScript SDK incorrectly prepared signature data by concatenating base64-encoded nonce strings (`message.initialNonce + sessionNonce`) then decoding the concatenated base64 string (`base64ToBytes(concatenatedString)`). This produced ~32-34 bytes of signature data instead of the correct 64 bytes. BRC-104 authentication relies on cryptographic signatures to establish mutual trust between peers. When signature data preparation is incorrect, signatures generated by the TypeScript SDK don't match those expected by Go/Python SDKs; cross-implementation authentication fails; and an attacker could potentially exploit this to bypass authentication checks. The fix in version 2.0.0 ensures all SDKs now produce identical cryptographic signatures, restoring proper mutual authentication across implementations.

*** Pendiente de traducción *** PHPGurukul Hospital Management System v4.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the 'Add Doctor' module. The application fails to enforce CSRF token validation on the add-doctor.php endpoint. This allows remote attackers to create arbitrary Doctor accounts (privileged users) by tricking an authenticated administrator into visiting a malicious page.

*** Pendiente de traducción *** The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the confidential medical records of other patients by iterating the 'viewid' integer.