Cyber-Dude1

**Name of the Vulnerable Software and Affected Versions** Iris versions prior to 2.4.6 **Description** Iris is a web collaborative platform that helps incident responders share technical details during investigations. Due to an improper setup of the Jinja2 environment, reports generation in `iris-web` is prone to a Server Side Template Injection (SSTI). Successful exploitation can lead to an arbitrary Remote Code Execution. An authenticated administrator must upload a crafted report template containing the payload. Upon generation of a report based on the weaponized report, any user can trigger the issue. **Recommendations** Update to IRIS v2.4.6 as soon as possible. Until patching, review the report templates and keep the administrative privileges that include the upload of report templates limited to dedicated users.

Name of the Vulnerable Software and Affected Versions: IrisEVTXModule versions prior to 1.0.0 Description: The issue is related to the incorrect restriction of the directory path name with limited access in the IrisEVTXModule, which handles Microsoft EVTX log files. This can lead to remote code execution (RCE) when combined with a Server Side Template Injection (SSTI) due to the unsafe handling of filenames during EVTX file upload. Recommendations: For versions prior to 1.0.0, update to version 1.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the `iris-evtx-module` pipeline plugin to minimize the risk of exploitation. Avoid using the vulnerable `iris-evtx-module` until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Node.js mixme versions prior to 0.5.1 Description: The issue allows an attacker to add or alter properties of an object via ` proto ` through the `mutate()` and `merge()` functions. The polluted attribute will be directly assigned to every object in the program, putting the availability of the program at risk and causing a potential denial of service (DoS). Recommendations: For versions prior to 0.5.1, update to version 0.5.1 or later to resolve the issue. As a temporary workaround, consider disabling the `mutate()` and `merge()` functions until a patch is available.