Aarjubh

**Name of the Vulnerable Software and Affected Versions** GLPI versions 11.0.0 through 11.0.5 **Description** An unauthenticated time-based blind SQL injection exists in the Search engine. SQL injection is a flaw that allows an attacker to interfere with the queries that an application makes to its database, potentially allowing them to view or modify data they are not authorized to access. **Recommendations** Update to version 11.0.6.

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 6.8.156, prior to 25.0.90, and prior to 26.0.12 Description Group-Office is an enterprise customer relationship management and groupware tool. A flaw in the AbstractSettingsCollection model allows for insecure deserialization when loading settings. An authenticated attacker can inject a serialized FileCookieJar object into a setting string, leading to Arbitrary File Write and ultimately Remote Code Execution (RCE) on the server. The vulnerability is triggered through the deserialization of a FileCookieJar object. The `AbstractSettingsCollection` model is the component affected. Recommendations Update to version 6.8.156 or later. Update to version 25.0.90 or later. Update to version 26.0.12 or later.

Name of the Vulnerable Software and Affected Versions Tina versions prior to 2.2.2 Description A path traversal vulnerability exists in @tinacms/graphql, allowing unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the `relativePath` parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build scripts. The vulnerability stems from insufficient path validation in the `getValidatedPath` function, which fails to correctly handle backslashes as directory separators on non-Windows platforms. An attacker can craft a malicious path, such as `x......package.json`, to bypass validation and traverse the file system. The affected code areas include the `assertWithinBase` function in `filesystem.ts` and the `getValidatedPath` function in `resolver/index.ts`. Recommendations Update to version 2.2.2 or later.