Denandz

Name of the Vulnerable Software and Affected Versions HDF5 versions 1.14.1-2 and earlier Description HDF5 is software for managing data. A heap-use-after-free issue was identified in the h5dump helper utility. An attacker can trigger this by providing a malicious h5 file. The issue occurs because a freed object is referenced in a memmove call from `H5T conv struct`. The object was allocated by `H5D typeinfo init phase3` and freed by `H5D typeinfo term`. Recommendations Update to a version later than 1.14.1-2

**Name of the Vulnerable Software and Affected Versions** HDF5 versions prior to 1.14.4-2 **Description** HDF5 is software used for managing data. An attacker controlling an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow. This can lead to a denial-of-service condition, and potentially remote code execution depending on exploitability against modern operating systems. The real-world exploitability of remote code execution is currently unknown. **Recommendations** Update to version 1.14.4-2 or later.

**Name of the Vulnerable Software and Affected Versions** CodiMD versions prior to 2.5.4 **Description** CodiMD is missing authentication and access control, allowing an unauthenticated attacker to gain unauthorized access to image data uploaded to CodiMD. The issue arises because CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorized access to uploaded image data. The insecure random filename generation in the underlying Formidable library increases the likelihood of this issue being exploited, as it allows an attacker to determine the filenames for previously uploaded images. **Recommendations** For versions prior to 2.5.4, update to version 2.5.4 to resolve the issue. As a temporary workaround, consider restricting access to the image upload feature to minimize the risk of exploitation. Avoid using the vulnerable image upload functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Wiki.js versions prior to 2.4.107 **Description** The issue is caused by an insecure validation mechanism that fails to properly insert v-pre tags into rendered HTML elements containing curly-braces, leading to a stored cross-site scripting vulnerability through template injection. This allows a malicious user to create a crafted wiki page, staging a stored cross-site scripting attack that executes malicious JavaScript when the page is viewed by other users. **Recommendations** For versions prior to 2.4.107, update to version 2.4.107 to resolve the issue.