Calum Hutton

**Name of the Vulnerable Software and Affected Versions** OnePlus OxygenOS versions 12 through 15 **Description** A significant security issue affects OnePlus devices running OxygenOS. This flaw allows any installed application to read SMS/MMS data and metadata from the system Telephony provider without requiring user permission, interaction, or consent. The user is not notified that their SMS data is being accessed. This could compromise sensitive information and undermine the security of SMS-based Multi-Factor Authentication (MFA). The root cause is missing write permissions in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider) and a blind SQL injection vulnerability in the `update` method of these providers. The vulnerability allows an attacker to extract SMS messages through boolean queries. The issue was discovered in May 2025 and publicly disclosed in September 2025. While OnePlus acknowledged the issue, a patch was not immediately available, with a rollout planned for mid-October 2025. **Recommendations** Update your device to the latest OxygenOS version as soon as the patch is available, starting mid-October 2025. Remove any untrusted applications from your device. Switch from SMS-based Multi-Factor Authentication (MFA) to an authenticator app. Use encrypted messaging applications instead of SMS for sensitive communications. Consider switching SMS notifications to push notifications.

**Name of the Vulnerable Software and Affected Versions** Apache Zeppelin versions 0.11.1 through 0.11.x **Description** A missing origin validation in WebSockets allows an attacker to access the Zeppelin server from another origin without restriction, potentially exposing internal information about paragraphs. **Recommendations** Upgrade to version 0.12.0.

**Name of the Vulnerable Software and Affected Versions** rsync (affected versions not specified) **Description** A specially crafted client, acting as the receiver during an rsync file transfer, can cause a read error due to accessing memory outside the intended boundaries. This occurs because of a negative array index. The malicious client needs at least read access to the remote rsync module to trigger this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: com scheduler (affected versions not specified) Description: The issue is related to improperly built order clauses, which lead to a SQL injection vulnerability in the backend task list of com scheduler. This vulnerability may allow attackers to inject malicious SQL code, potentially leading to unauthorized access or data manipulation. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SteVe (affected versions not specified) **Description** SteVe is an open platform that implements different versions of the OCPP protocol for Electric Vehicle charge points, acting as a central server for management of registered charge points. Attackers can inject arbitrary HTML and Javascript code via WebSockets, leading to persistent Cross-Site Scripting in the SteVe management interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opencart/opencart versions 0.0.0 through 3.0.3.9 **Description** An SQL Injection issue was identified in the Divido payment extension for OpenCart. As an anonymous unauthenticated user, if the Divido payment module is installed, it is possible to exploit SQL injection to gain unauthorized access to the backend database. This could allow any unauthenticated user to dump the entire OpenCart database, including customer PII data. **Recommendations** For versions 0.0.0 through 3.0.3.9, update the Divido payment extension to a version that includes the fix for the SQL Injection issue. As a temporary workaround, consider disabling the Divido payment module until a patch is available. Restrict access to the backend database to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** opencart/opencart version 4.0.0.0 **Description** A reflected XSS issue was identified in the `filename` parameter of the "admin tool/log" route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login and redirected again upon authentication with the payload automatically executing. If the attacked user has admin privileges, this vulnerability could be used as the start of a chain of exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality. This is only exploitable if the attacker knows the name or path of the admin directory, which is "admin" by default but has a warning to rename it in the dashboard. **Recommendations** As a temporary workaround, consider restricting access to the "admin tool/log" route until a complete fix is available. For version 4.0.0.0, the redirect has been removed, but it is still possible to exploit this issue in admin if the user is authenticated as an admin already, so avoid using the `filename` parameter in the affected route until the issue is fully resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opencart/opencart version 4.0.0.0 **Description** An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including the extension), within /system/storage/backup. It is less likely for the created file to be available within the web root, as part of the security recommendations for the application suggest moving the storage path outside of the web root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opencart/opencart versions 4.0.0.0 and later **Description** A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An attacker can create arbitrary files in the web root of the application and overwrite other existing files by exploiting this issue. **Recommendations** For versions 4.0.0.0 and later, update the opencart/opencart package to a version that includes the fix for the Zip Slip vulnerability. As a temporary workaround, consider disabling the marketplace installer until a patch is available. Restrict access to the marketplace installer to minimize the risk of exploitation. Avoid using the marketplace installer to install packages from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opencart/opencart version 4.0.0.0 **Description** A reflected XSS issue was identified in the `redirect` parameter of the "customer account/login" route. An attacker can inject arbitrary HTML and Javascript into the page response. This issue is present in the account functionality and could be used to target and attack customers of the OpenCart shop. **Recommendations** As a temporary workaround, consider restricting access to the vulnerable `redirect` parameter in the customer account/login route until a complete fix is available. Note: The current fix for this issue is incomplete, so it is essential to monitor for updates and apply a complete fix as soon as it becomes available. At the moment, there is no information about a newer version that contains a complete fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opencart/opencart versions 4.0.0.0 through 4.1.0.0 **Description** A reflected XSS issue was identified in the `directory` parameter of the admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login and redirected again upon authentication with the payload automatically executing. If the attacked user has admin privileges, this vulnerability could be used as the start of a chain of exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality. This is only exploitable if the attacker knows the name or path of the admin directory, which is "admin" by default but has a warning to rename it in the dashboard. **Recommendations** For versions 4.0.0.0 through 4.1.0.0, consider disabling the admin common/filemanager.list route until a complete fix is available. Restrict access to the admin directory to minimize the risk of exploitation. Avoid using the `directory` parameter in the affected route until the issue is resolved. As a temporary workaround, remove the redirect post admin login to prevent an attacker from controlling the redirect. However, note that the fix for this vulnerability is incomplete, and it is still possible to exploit this issue in admin if the user is authenticated as an admin already. At the moment, there is no information about a newer version that contains a complete fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** geokit-rails versions prior to 2.5.0 **Description** The issue is related to Command Injection due to unsafe deserialization of YAML within the `geo location` cookie. This can be exploited remotely via a malicious cookie value, allowing an attacker to execute commands on the host system. **Recommendations** For versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `geo location` cookie to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** pydash versions prior to 6.0.0 **Description** The issue affects pydash methods such as `pydash.objects.invoke()` and `pydash.collections.invoke map()`, which accept dotted paths to target nested Python objects. These paths can be used to target internal class attributes and dict items, allowing retrieval, modification, or invocation of nested Python objects. The `pydash.objects.invoke()` method is vulnerable to Command Injection when the source object is not a built-in object and the attacker has control over the path string and the argument to pass to the invoked method. The `pydash.collections.invoke map()` method is also vulnerable but harder to exploit due to limited control over the argument passed to the invoked function. **Recommendations** For versions prior to 6.0.0, consider disabling the `pydash.objects.invoke()` and `pydash.collections.invoke map()` methods until a patch is available. Restrict access to these methods to minimize the risk of exploitation. Avoid using the `path` and `argument` variables in the affected methods until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** celery versions prior to 5.2.2 **Description** The issue affects the package by default trusting messages and metadata stored in backends, which can lead to a stored command injection vulnerability when an attacker gains access to or manipulates the metadata within a celery backend. This could potentially allow the attacker to gain further access to the system. **Recommendations** For versions prior to 5.2.2, update to version 5.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the backend to minimize the risk of exploitation. Avoid using the deserialization of task metadata from the backend until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Bluetooth versions prior to SMR July-2021 Release 1 Description: The issue allows unauthorized access to paired device information due to a SQL injection vulnerability. Recommendations: For versions prior to SMR July-2021 Release 1, update to SMR July-2021 Release 1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Plone versions through 5.2.4 **Description** The issue allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. **Recommendations** For Plone versions through 5.2.4, update to a version later than 5.2.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zope Products.CMFCore versions prior to 2.5.1 Zope Products.PluggableAuthService versions prior to 2.6.2 Plone versions prior to 5.2.4 **Description** The issue allows Reflected XSS. This means an attacker can inject malicious code into a website, which will then be executed by the user's browser. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Zope Products.CMFCore versions prior to 2.5.1, update to version 2.5.1 or later. For Zope Products.PluggableAuthService versions prior to 2.6.2, update to version 2.6.2 or later. For Plone versions prior to 5.2.4, update to version 5.2.4 or later.

Name of the Vulnerable Software and Affected Versions: Mailman versions prior to 2.1.26 Description: The issue is related to a cross-site scripting (XSS) vulnerability in the web UI. This allows remote attackers to inject arbitrary web script or HTML via a user-options URL. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. Recommendations: For Mailman versions prior to 2.1.26, update to version 2.1.26 or later to resolve the issue. As a temporary workaround, consider restricting access to the web UI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Supervisor versions prior to 3.0.1 Supervisor versions 3.1.x prior to 3.1.4 Supervisor versions 3.2.x prior to 3.2.4 Supervisor versions 3.3.x prior to 3.3.3 **Description** The XML-RPC server in Supervisor allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups. This issue is also related to inadequate access control in the XML-RPC component of the Supervisor web server. **Recommendations** For versions prior to 3.0.1, update to version 3.0.1 or later. For versions 3.1.x prior to 3.1.4, update to version 3.1.4 or later. For versions 3.2.x prior to 3.2.4, update to version 3.2.4 or later. For versions 3.3.x prior to 3.3.3, update to version 3.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** WildFly version 10.0.0 Red Hat JBoss Enterprise Application Platform (EAP) versions prior to 7.0.2 **Description** A CRLF injection issue in the Undertow web server allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. **Recommendations** For WildFly version 10.0.0, update to a version that fixes the CRLF injection vulnerability. For Red Hat JBoss Enterprise Application Platform (EAP) versions prior to 7.0.2, update to version 7.0.2 or later to resolve the issue.