Adeadfed

**Name of the Vulnerable Software and Affected Versions** zola versions 0.13.0 through 0.17.2 **Description** An issue was discovered in the custom implementation of a web server, available via the "zola serve" command, which allows directory traversal. The `handle request` function, used by the server to process HTTP requests, does not account for sequences of special path control characters (`../`) in the URL when serving a file, allowing one to escape the webroot of the server and read arbitrary files from the filesystem. **Recommendations** For zola versions 0.13.0 through 0.17.2, consider disabling the `handle request` function or restricting access to the web server until a patch is available. As a temporary workaround, avoid using the "zola serve" command to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pipreqs versions 0.3.0 through 0.4.11 **Description** A dependency confusion in pipreqs allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server. **Recommendations** For pipreqs versions 0.3.0 through 0.4.11, consider updating to a version outside of this range to mitigate the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NopCommerce versions 4.10 through 4.50.1 **Description** The issue allows remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the `returnUrl` parameter. This parameter is processed by several functions, including the `ChangePassword` function, `SignInCustomerAsync` function, `SuccessfulAuthentication` method, or the `NopRedirectResultExecutor` class. **Recommendations** For NopCommerce versions 4.10 through 4.50.1, consider disabling the `returnUrl` parameter in the affected functions until a patch is available. Restrict access to the `ChangePassword` function, `SignInCustomerAsync` function, `SuccessfulAuthentication` method, and the `NopRedirectResultExecutor` class to minimize the risk of exploitation. Avoid using the `returnUrl` parameter in the affected API endpoints until the issue is resolved.