Wallos
Monthly
Wallos prior to version 4.6.2 contains an authorization bypass allowing authenticated users to delete avatar files belonging to other users due to missing ownership verification on the avatar deletion endpoint. An attacker with valid credentials can enumerate or guess other users' avatar filenames to remove their files. Public exploit code exists for this vulnerability, and a patch is available in version 4.6.2 and later.
Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated attackers to inject malicious scripts by manipulating token and email parameters that are output without sanitization. Public exploit code exists for this vulnerability, affecting self-hosted instances of Wallos. A patch is available in version 4.6.2 and later.
Server-side request forgery in Wallos versions before 4.6.2 allows authenticated attackers to conduct arbitrary network requests through the notification tester functionality. An attacker with user privileges can exploit this to access internal services, retrieve sensitive data, or interact with backend systems on behalf of the server. Public exploit code exists for this vulnerability, though a patch is available in version 4.6.2.
Wallos versions prior to 4.6.2 contain a server-side request forgery (SSRF) vulnerability in the webhook notification testing function that fails to restrict requests to private IP ranges, allowing authenticated attackers to read internal server responses. Public exploit code exists for this vulnerability. The vulnerability affects Wallos and has been patched in version 4.6.2.
Path traversal in Wallos subscription tracker versions prior to 4.6.2 allows unauthenticated remote attackers to read arbitrary files from the hosting system via a malicious url parameter. Public exploit code exists for this vulnerability, which has a high severity CVSS score of 7.5. The vulnerability is patched in version 4.6.2 and later.
Wallos versions 4.6.0 and below allow authenticated attackers to perform Server-Side Request Forgery attacks through the logo upload feature by exploiting HTTP redirects that bypass IP validation checks, enabling access to internal resources and cloud metadata endpoints. Public exploit code exists for this vulnerability, and an available patch should be applied immediately to prevent unauthorized disclosure of sensitive configuration and credentials.
Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross Site Scripting vulnerability in Wallos v.2.41.0 allows a remote attacker to execute arbitrary code via the profile picture function. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Wallos prior to version 4.6.2 contains an authorization bypass allowing authenticated users to delete avatar files belonging to other users due to missing ownership verification on the avatar deletion endpoint. An attacker with valid credentials can enumerate or guess other users' avatar filenames to remove their files. Public exploit code exists for this vulnerability, and a patch is available in version 4.6.2 and later.
Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated attackers to inject malicious scripts by manipulating token and email parameters that are output without sanitization. Public exploit code exists for this vulnerability, affecting self-hosted instances of Wallos. A patch is available in version 4.6.2 and later.
Server-side request forgery in Wallos versions before 4.6.2 allows authenticated attackers to conduct arbitrary network requests through the notification tester functionality. An attacker with user privileges can exploit this to access internal services, retrieve sensitive data, or interact with backend systems on behalf of the server. Public exploit code exists for this vulnerability, though a patch is available in version 4.6.2.
Wallos versions prior to 4.6.2 contain a server-side request forgery (SSRF) vulnerability in the webhook notification testing function that fails to restrict requests to private IP ranges, allowing authenticated attackers to read internal server responses. Public exploit code exists for this vulnerability. The vulnerability affects Wallos and has been patched in version 4.6.2.
Path traversal in Wallos subscription tracker versions prior to 4.6.2 allows unauthenticated remote attackers to read arbitrary files from the hosting system via a malicious url parameter. Public exploit code exists for this vulnerability, which has a high severity CVSS score of 7.5. The vulnerability is patched in version 4.6.2 and later.
Wallos versions 4.6.0 and below allow authenticated attackers to perform Server-Side Request Forgery attacks through the logo upload feature by exploiting HTTP redirects that bypass IP validation checks, enabling access to internal resources and cloud metadata endpoints. Public exploit code exists for this vulnerability, and an available patch should be applied immediately to prevent unauthorized disclosure of sensitive configuration and credentials.
Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross Site Scripting vulnerability in Wallos v.2.41.0 allows a remote attacker to execute arbitrary code via the profile picture function. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.