Chybeta

**Name of the Vulnerable Software and Affected Versions** Apache Druid (affected versions not specified) **Description** The issue is related to weaknesses in the authorization mechanism of Apache Druid's analytical database. It allows remote attackers to gain unauthorized access to protected information. Specifically, in the Druid ingestion system, the `HTTP InputSource` allows authenticated users to read data from unintended sources, such as the local file system, with the privileges of the Druid server process. This can be problematic when users interact with Druid indirectly through an application that allows users to specify the `HTTP InputSource` but not the `Local InputSource`, enabling them to bypass application-level restrictions by passing a file URL to the `HTTP InputSource`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BigTree-CMS versions prior to the version containing commit b652cfdc14d0670c81ac4401ad5a04376745c279 **Description** The issue allows low-privileged users to attack high-privileged users, such as developers, through a Cross Site Scripting (XSS) vulnerability. This vulnerability is located in the "/users/create" API endpoint. **Recommendations** For versions prior to the one containing commit b652cfdc14d0670c81ac4401ad5a04376745c279, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the "/users/create" endpoint until a patch is available.