Dem0

**Name of the Vulnerable Software and Affected Versions** GPTCache versions prior to 0.1.45 **Description** The Cache Key Handler component contains an issue where the `BufferedReader.peek()` function in the `gptcache/processor/pre.py` file uses a weak hash. This occurs when the `input data["image"]` variable is manipulated. Exploitation requires local access and is characterized by high complexity and difficulty. **Recommendations** As a temporary workaround, restrict the use of the `input data["image"]` variable within the `BufferedReader.peek()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Streamlit versions prior to 1.53.0 **Description** An issue exists in the Palette Handler component within the `lib/streamlit/runtime/caching/hashing.py` library. Manipulation of an unknown function in this library can lead to the use of a weak hash. This attack requires local access and is characterized by high complexity and difficult exploitability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MLflow versions prior to 3.10.1 **Description** A flaw in the Dataset Digest Computation component allows for the use of a weak hash. This issue specifically affects the `mlflow.data.digest utils()` function within the `mlflow/data/digest utils.py` file. An attack can be launched on the local host, although it is characterized by high complexity and difficult exploitability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** modelscope ms-swift versions prior to 4.2.1 **Description** The PIL Image Cache Key Handler component contains an issue where the `Template. save pil image()` function in the `swift/template/base.py` file uses a weak hash. Exploitation requires local access and is characterized by high complexity and difficult exploitability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PaddlePaddle FastDeploy versions prior to 2.4.2 **Description** A weakness exists in the MultimodalHasher component within the file fastdeploy/multimodal/hasher.py. Specifically, the `hash features()` function can be manipulated to use a weak hash. Exploiting this issue requires local access and is characterized by high complexity, making exploitation difficult. **Recommendations** Apply patch 374945747652a8d32965591c0c01a00c88b7067f to resolve the issue. As a temporary workaround, restrict access to the `hash features()` function in the MultimodalHasher component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** dask versions prior to 3.1 **Description** A flaw in the HLL Handler component allows for remote resource consumption. The issue is located within the `nunique approx()` function in the `dask/dataframe/hyperloglog.py` file. Exploitation is considered difficult and requires a high degree of complexity. **Recommendations** As a temporary workaround, consider restricting the use of the `nunique approx()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mlrun versions prior to 1.12.0-rc3 **Description** The DataFrame Hash Handler component contains an issue in the `calculate dataframe hash()` function within the `mlrun/utils/helpers.py` file. This allows for the use of a weak hash, which can be manipulated. Exploitation requires a local environment and is characterized by high complexity and difficult exploitability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** gradio-app gradio version 6.14.0 **Description** A security flaw exists in the Audio Cache Key Handler component. Specifically, the `save audio to cache()` function uses a weak hash, which can be manipulated. This issue requires a local position for exploitation and is characterized by high complexity and difficult exploitability. **Recommendations** Deploy patch 13394 for version 6.14.0. As a temporary workaround, consider restricting the use of the `save audio to cache()` function until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** SGLang versions prior to 0.5.12 **Description** A flaw exists in the `data hash()` function of the Cache Handler component. This issue allows for a denial of service through manipulation, although the attack is restricted to local execution and requires a high degree of complexity, making exploitation difficult. **Recommendations** As a temporary workaround, consider restricting the use of the `data hash()` function within the Cache Handler component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** DjangoBlog versions prior to 2.1.0.0 **Description** The Setting Handler component contains hard-coded credentials within the `djangoblog/settings.py` file. Manipulation of the `USER` and `PASSWORD` arguments allows for the exploitation of these credentials. This issue can be triggered remotely, although it requires a high level of complexity and is difficult to exploit. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A flaw has been found in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function form valid of the file oauth/views.py. This manipulation of the argument oauthid causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET KEY results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

**Name of the Vulnerable Software and Affected Versions** liangliangyy DjangoBlog versions prior to 2.1.0.0 **Description** The WeChat Bot Interface contains a flaw in the `CommandHandler()` function within the 'servermanager/api/commonapi.py' file. A remote attacker can perform command injection by manipulating the `Source` argument. **Recommendations** As a temporary workaround, restrict access to the `CommandHandler()` function in the 'servermanager/api/commonapi.py' file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** liangliangyy DjangoBlog versions prior to 2.1.0.0 **Description** An issue exists in the Amap API Call Handler component within the file 'owntracks/views.py'. Manipulation of the `key` argument leads to the use of a hard-coded cryptographic key. This flaw allows for remote attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

**Name of the Vulnerable Software and Affected Versions** liangliangyy DjangoBlog versions prior to 2.1.0.0 **Description** A flaw in the Setting Handler component within the file 'djangoblog/settings.py' allows for the manipulation of the `SECRET KEY` argument, which results in hard-coded credentials. This issue can be exploited remotely, although it requires a high level of complexity and is difficult to execute. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** liangliangyy DjangoBlog versions prior to 2.1.0.0 **Description** An issue in the 'logtracks' endpoint within the owntracks/views.py file allows for missing authentication. This enables an attacker to gain unauthenticated remote access to the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpwcms versions 1.9.45 through 1.10.8 **Description** A critical vulnerability was found in the Feedimport Module of phpwcms, affecting unknown code in the file include/inc module/mod feedimport/inc/processing.inc.php. The manipulation of the `cnt text` argument leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** To address this issue, upgrade to version 1.9.46 or 1.10.9. As a temporary workaround, consider restricting access to the Feedimport Module until the issue is resolved. Avoid using the `cnt text` argument in the affected module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** slackero phpwcms versions 1.9.45 and earlier, slackero phpwcms versions 1.10.8 and earlier **Description** A critical vulnerability has been found in the function `is file`/`getimagesize` of the file `image resized.php`. The manipulation of the argument `imgfile` leads to deserialization. It is possible to launch the attack remotely. **Recommendations** For slackero phpwcms versions 1.9.45 and earlier, upgrade to version 1.9.46. For slackero phpwcms versions 1.10.8 and earlier, upgrade to version 1.10.9.

**Name of the Vulnerable Software and Affected Versions** slackero phpwcms versions 1.9.45 and earlier, slackero phpwcms versions 1.10.8 and earlier **Description** A critical issue affects the function `file get contents`/`is file` of the file `include/inc lib/content/cnt21.readform.inc.php` in the Custom Source Tab component. The manipulation of the argument `cpage custom` leads to deserialization. This issue can be exploited remotely. **Recommendations** For slackero phpwcms versions 1.9.45 and earlier, upgrade to version 1.9.46. For slackero phpwcms versions 1.10.8 and earlier, upgrade to version 1.10.9.