#vulnerability

DNN.PLATFORM allows a specially crafted request or proxy could be created that would bypass the design of DNN Login IP Filters allowing login attempts from IP Adresses not in the allow list. This vulnerability is fixed in 10.0.1.

DNN.PLATFORM allows a specially crafted request can inject scripts in the Activity Feed Attachments endpoint which will then render in the feed, resulting in a cross-site scripting attack. This vulnerability is fixed in 10.0.1.

DNN.PLATFORM allows specially crafted content in URLs could be used with TokenReplace and not be properly sanitized by some SkinObjects. This vulnerability is fixed in 10.0.1.

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.  To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

## Impact Using the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code, without being authenticated. With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (`.env` or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc. ## Patches This vulnerability was patched by https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0 and was released under the [`v1.11.11`](https://github.com/pterodactyl/panel/releases/tag/v1.11.11) tag without any other code modifications compared to `v1.11.10`. For those who need to patch their installations in-place or apply it on top of other code modi...

### Impact _What kind of vulnerability is it? Who is impacted?_ This is an advisory for a **potential polynomial Regular Expression Denial of Service (ReDoS)** vulnerability in the `RegexCriterion` class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an `Identifiable` object via `Pattern.compile(regex).matcher(id).find()`. To trigger **polynomial ReDoS** in `RegexCriterion`, **two attacker-controlled conditions** must be met: - **Control over the regex input** passed into the constructor: - _Example:_ An attacker supplies a malicious pattern such as `(.*a){10000}`. - **Control or influence over the output of `Identifiable.getId()`**: - _Example:_ A long string like `"aaaa...!"` that forces excessive backtracking. If both conditions are satisfied, a malicious actor can cause **significant CPU exhaustion** through repeated or recursive `filter(...)` calls — especially if performed over large network models or filterin...

### Impact _What kind of vulnerability is it? Who is impacted?_ This is an advisory for a **potential polynomial Regular Expression Denial of Service (ReDoS)** vulnerability in the PowSyBl's DataSource mechanism. When the `listNames(String regex)` method is called on a DataSource, the user-supplied regular expression (which may be unvalidated) is compiled and evaluated against a collection of file-like resource names. To trigger a **polynomial ReDoS** via this mechanism, **two attacker-controlled conditions** must be met: - **Control over the regex input** passed into `listNames(String regex)`. - _Example:_ An attacker supplies a malicious pattern like `(.*a){10000}`. - **Control or influence over the file/resource names** being matched. - _Example:_ Filenames such as `"aaaa...!"` that induce regex engine backtracking. If both conditions are satisfied, a malicious actor can cause **significant CPU consumption** due to regex backtracking — even with polynomial patterns. Since bot...

### Impact _What kind of vulnerability is it? Who is impacted?_ This is a disclosure for a security vulnerability in the `SparseMatrix` class. The vulnerability is a deserialization issue that can lead to a wide range of privilege escalations depending on the circumstances. The problematic area is the `read` method of the `SparseMatrix` class. This method takes in an `InputStream` and returns a `SparseMatrix` object. We consider this to be a method that can be exposed to untrusted input in at least two use cases: - A user can adopt this method in an application where users can submit an `InputStream` and the application parses it into a `SparseMatrix`. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. - A user adopts the method for a local tool but receives the `InputStream` from external sources. #### Am I impacted? You are vulnerable if you import non-controlled serialized `SparseMatrix` objects. ### Patches com.powsyb...