Adeadfed

**Name of the Vulnerable Software and Affected Versions** zola versions 0.13.0 through 0.17.2 **Description** An issue was discovered in the custom implementation of a web server, available via the "zola serve" command, which allows directory traversal. The `handle request` function, used by the server to process HTTP requests, does not account for sequences of special path control characters (`../`) in the URL when serving a file, allowing one to escape the webroot of the server and read arbitrary files from the filesystem. **Recommendations** For zola versions 0.13.0 through 0.17.2, consider disabling the `handle request` function or restricting access to the web server until a patch is available. As a temporary workaround, avoid using the "zola serve" command to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pipreqs versions 0.3.0 through 0.4.11 **Description** A dependency confusion in pipreqs allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server. **Recommendations** For pipreqs versions 0.3.0 through 0.4.11, consider updating to a version outside of this range to mitigate the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** Versões do NopCommerce 4.10 a 4.50.1 **Descrição** A vulnerabilidade permite que invasores remotos realizem ataques de phishing redirecionando usuários para sites controlados por eles por meio do parâmetro `returnUrl`. Esse parâmetro é processado por várias funções, incluindo a função `ChangePassword`, a função `SignInCustomerAsync`, o método `SuccessfulAuthentication` ou a classe `NopRedirectResultExecutor`. **Recomendações** Para as versões 4.10 a 4.50.1 do NopCommerce, considere desativar o parâmetro `returnUrl` nas funções afetadas até que uma correção esteja disponível. Restrinja o acesso à função `ChangePassword`, à função `SignInCustomerAsync`, ao método `SuccessfulAuthentication` e à classe `NopRedirectResultExecutor` para minimizar o risco de exploração. Evite usar o parâmetro `returnUrl` nos pontos de extremidade da API afetados até que o problema seja resolvido.