Argussecuritybot

**Name of the Vulnerable Software and Affected Versions** kiwitcms/Kiwi versions 12.2 and prior kiwitcms/enterprise versions 12.2 and prior **Description** The `changelog.yml` workflow in Kiwi TCMS is vulnerable to command injection attacks due to the use of an untrusted `github.head ref` field. The `github.head ref` value is an attacker-controlled value, which can lead to command injection when assigned a value like `zzz";echo${IFS}"hello";#`. Since permission is not restricted, the attacker has write-access to the repository. **Recommendations** For kiwitcms/Kiwi versions 12.2 and prior, update to a version that includes commit 834c86dfd1b2492ccad7ebbfd6304bfec895fed2 to resolve the issue. For kiwitcms/enterprise versions 12.2 and prior, update to a version that includes commit e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751 to resolve the issue. As a temporary workaround, consider restricting access to the `changelog.yml` workflow to minimize the risk of exploitation.