Arashimuo

Name of the Vulnerable Software and Affected Versions: eosphoros-ai db-gpt versions up to 0.7.2 Description: A critical issue has been found, affecting the `import flow` function of the file `/api/v2/serve/awel/flow/import`. The manipulation of the `File` argument leads to path traversal, allowing for remote attacks. Recommendations: For versions up to 0.7.2, consider disabling the `import flow` function as a temporary workaround until a patch is available. Restrict access to the `/api/v2/serve/awel/flow/import` endpoint to minimize the risk of exploitation. Avoid using the `File` argument in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: PySpur-Dev pyspur versions up to 0.1.18 Description: A critical issue was found in the function `SingleLLMCallNode` of the file `backend/pyspur/nodes/llm/single llm call.py` of the component Jinja2 Template Handler. The manipulation of the argument `user message` leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Recommendations: For PySpur-Dev pyspur versions up to 0.1.18, as a temporary workaround, consider disabling the `SingleLLMCallNode` function until a patch is available. Restrict access to the Jinja2 Template Handler to minimize the risk of exploitation. Avoid using the argument `user message` in the affected template engine until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenBMB XAgent versions up to 1.0.0 **Description** A critical issue has been found in OpenBMB XAgent, affecting an unknown functionality of the file /conv/community, which leads to path traversal. The exploit has been disclosed to the public and may be used. **Recommendations** For OpenBMB XAgent versions up to 1.0.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xataio Xata Agent versions up to 0.3.0 **Description** A path traversal issue has been identified, affecting the `GET` function of the file `apps/dbagent/src/app/api/evals/route.ts`. The manipulation of the argument passed leads to this issue. **Recommendations** For xataio Xata Agent versions up to 0.3.0, upgrade to version 0.3.1 to address this issue.

**Name of the Vulnerable Software and Affected Versions** xlang-ai OpenAgents versions up to ff2e46440699af1324eb25655b622c4a131265bb **Description** A critical issue was found in the `create upload file` function of the `backend/api/file.py` file, leading to path traversal. The exploit has been disclosed to the public and may be used. The product uses continuous delivery with rolling releases, and therefore, no version details of affected or updated releases are available. **Recommendations** As a temporary workaround, consider disabling the `create upload file` function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TransformerOptimus SuperAGI versions up to 0.0.14 **Description** A critical issue was found in the EmailToolKit component, specifically in the `download attachment` function of the file SuperAGI/superagi/helper/read email.py. The manipulation of the `filename` argument leads to path traversal. The issue has been publicly disclosed and may be exploited. **Recommendations** For TransformerOptimus SuperAGI versions up to 0.0.14, consider disabling the `download attachment` function as a temporary workaround until a patch is available. Restrict access to the EmailToolKit component to minimize the risk of exploitation. Avoid using the `filename` argument in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** frdel Agent-Zero versions up to 0.8.4 **Description** A path traversal issue affects the `image get` function in the `/python/api/image get.py` file, caused by the manipulation of the `path` argument. **Recommendations** For frdel Agent-Zero versions up to 0.8.4, upgrade to version 0.8.4.1 to address this issue. As a temporary workaround, consider restricting access to the `image get` function until the upgrade is applied.