Bingyu Li

**Name of the Vulnerable Software and Affected Versions** Gorush version 1.18.4 **Description** An issue in the `RunHTTPServer` function allows attackers to intercept and manipulate data due to the use of a deprecated TLS version. **Recommendations** For Gorush version 1.18.4, consider updating to a version that uses a non-deprecated TLS version to prevent data interception and manipulation. As a temporary workaround, consider restricting access to the `RunHTTPServer` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** goframe version 2.7.2 **Description** The issue allows attackers to execute a man-in-the-middle attack due to the software being configured to skip TLS certificate verification via the gclient component. **Recommendations** For goframe version 2.7.2, consider enabling TLS certificate verification to prevent man-in-the-middle attacks. As a temporary workaround, restrict access to the gclient component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** litestream version 0.3.13 **Description** An issue was discovered where the usage of the `ssh.InsecureIgnoreHostKey()` function disables host key verification. This could possibly allow attackers to obtain sensitive information via a man-in-the-middle attack. **Recommendations** For litestream version 0.3.13, consider disabling the use of `ssh.InsecureIgnoreHostKey()` to re-enable host key verification until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** filestash version 0.4 **Description** The issue is related to the ShareProofVerifier function in filestash, which skips the TLS certificate verification process when sending out email verification codes. This could allow attackers to access sensitive data via a man-in-the-middle attack. **Recommendations** For filestash version 0.4, consider disabling the ShareProofVerifier function until a patch is available to enforce TLS certificate verification. Restrict access to sensitive data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** filestash version 0.4 **Description** An issue was discovered where the usage of the ssh.InsecureIgnoreHostKey() function disables host key verification. This could possibly allow attackers to obtain sensitive information via a man-in-the-middle attack. **Recommendations** For filestash version 0.4, consider disabling the use of ssh.InsecureIgnoreHostKey() to re-enable host key verification until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.