Anzuukino

**Name of the Vulnerable Software and Affected Versions** RAGFlow versions prior to 0.24.1 **Description** A Server-Side Template Injection (SSTI) exists in the prompt generator located in `rag/prompts/generator.py`. This issue allows authenticated users to execute arbitrary operating system commands on the server. An attacker can trigger this by registering a normal account and creating a Canvas workflow utilizing a DuckDuckGo and LLM component chain. SSTI is a vulnerability where an attacker can inject malicious code into a template, which is then executed by the server's template engine. **Recommendations** Update to a version later than 0.24.0.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 8.0.0 through 10.4.9 Drupal versions 10.5.0 through 10.5.6 Drupal versions 11.0.0 through 11.1.9 Drupal versions 11.2.0 through 11.2.7 **Description** Drupal core contains an improperly controlled modification of dynamically-determined object attributes, leading to Object Injection. This allows for potential manipulation of objects within the system. **Recommendations** Update Drupal core to version 10.4.9 or later. Update Drupal core to version 10.5.6 or later. Update Drupal core to version 11.1.9 or later. Update Drupal core to version 11.2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal core versions 8.0.0 through 10.3.12 Drupal core versions 10.4.0 through 10.4.2 Drupal core versions 11.0.0 through 11.0.11 Drupal core versions 11.1.0 through 11.1.2 **Description** The issue is related to an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability, which allows Object Injection in Drupal core. **Recommendations** For versions 8.0.0 through 10.3.12, update to version 10.3.13 or later. For versions 10.4.0 through 10.4.2, update to version 10.4.3 or later. For versions 11.0.0 through 11.0.11, update to version 11.0.12 or later. For versions 11.1.0 through 11.1.2, update to version 11.1.3 or later.