Critical Vulnerability Information 1. Result File Path Normalization Issue: The API does not validate whether the uploaded result file path is an absolute path or contains any '..' components. Impact: This issue is not exploitable because certain S3 servers (such as Minio and CEPH) do not allow '..' in paths, and proxies crash when downloading files with absolute paths. Fix: Thorium now validates and rejects any absolute paths or paths containing components composed solely of '.'. 2. LDAP Injection Issue: Thorium does not escape user-controlled strings sent to LDAP. Impact: Allows attackers to perform LDAP injection if they can add tuples to groups. To execute this attack, attackers need permissions to modify group permissions. Fix: Thorium now properly escapes user-controlled strings in LDAP. 3. Spam Verification Emails For Unverified Users Issue: Thorium does not limit the frequency at which unverified users can resend verification emails. Impact: Attackers can send spam emails to unverified users by leveraging known usernames. Fix: Administrators can now set rate limit values; by default, resending is allowed only once every 10 minutes. 4. Token Not Rotating When Resetting Passwords Issue: When updating a user's password, Thorium generates a new token but does not save it. Impact: If a user updates their password due to password or token leakage, Thorium cannot properly revoke all previous access rights. Fix: Thorium now saves the new token when updating passwords. 5. Disabled TLS Verification To Elasticsearch Issue: Thorium does not allow users to configure how to verify certificates used by Elasticsearch, and by default, does not verify them. Fix: This option is now configurable. 6. Divide By Zero When Getting Streams Issue: If a user sets the split value to 0 when retrieving streams, the request crashes due to a division-by-zero error. Fix: Resolved by requiring NonZeroU64 instead of u64.