Boy-Hack

**Name of the Vulnerable Software and Affected Versions** melMass comfy mtb versions up to 0.1.4 **Description** A critical vulnerability was found in the Dependency Handler component, specifically in the `run command` function of the file `comfy mtb/endpoint.py`. This vulnerability leads to code injection and can be exploited remotely. The exploit has been disclosed to the public. **Recommendations** For melMass comfy mtb versions up to 0.1.4, apply the patch named d6e004cce2c32f8e48b868e66b89f82da4887dc3 to fix this issue. As a temporary workaround, consider disabling the `run command` function until the patch is applied. Restrict access to the vulnerable `comfy mtb/endpoint.py` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XiaoCms X1 version v20140305 **Description** An issue was discovered that allows for a CSRF vulnerability, enabling an attacker to change the administrator account password via the "admin/index.php?c=index&a=my" API endpoint. **Recommendations** For XiaoCms X1 version v20140305, consider implementing CSRF protection mechanisms to prevent unauthorized password changes. As a temporary workaround, restrict access to the "admin/index.php?c=index&a=my" endpoint until a patch is available.