Drone

**Name of the Vulnerable Software and Affected Versions** Gitlist versions prior to 0.5.0 **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a blame, file, or stats page. This can be demonstrated by requests to endpoints such as "blame/master/", "master/", and "stats/master/". **Recommendations** For Gitlist versions prior to 0.5.0, update to version 0.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the blame, file, and stats pages until the update is applied. Avoid using shell metacharacters in file names in the URI of requests to these pages.

**Name of the Vulnerable Software and Affected Versions** IBM Tealeaf CX versions 7.x, 8.x through 8.6, 8.7 before FP2, 8.8 before FP2 **Description** The issue allows remote authenticated users to execute arbitrary commands. This is achieved by using shell metacharacters in the `testconn host` parameter of the delivery.php file in the Passive Capture Application (PCA) web console. **Recommendations** For versions 7.x, update to a version outside of the affected range. For versions 8.x through 8.6, update to version 8.7 FP2 or later. For versions 8.7 before FP2, update to version 8.7 FP2 or later. For versions 8.8 before FP2, update to version 8.8 FP2 or later. As a temporary workaround, consider restricting access to the `delivery.php` file or avoiding the use of shell metacharacters in the `testconn host` parameter until a patch is available.