Dhiral2908

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions prior to 4.6.37 **Description** The ` safe extractall()` helper function, used in recipe pull, recipe publish, and recipe unpack flows, fails to validate `member.linkname` and does not reject symlink or hardlink members. Additionally, it calls `tar.extractall(dest dir)` without the `filter="data"` option. An attacker can use a bundle containing a symlink that points outside the destination directory, followed by a regular file that traverses this symlink, to write arbitrary content to a chosen location on the victim's filesystem. **Recommendations** Update to version 4.6.37.

**Name of the Vulnerable Software and Affected Versions** Tornado versions prior to 6.5.5 **Description** Prior to version 6.5.5, Tornado is susceptible to cookie attribute injection due to insufficient validation of the domain, path, and samesite arguments when setting cookies using `.RequestHandler.set cookie`. This could allow for crafted characters to be injected into these attributes. **Recommendations** Update to Tornado version 6.5.5 or later.

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. An attacker controlling the `reason` parameter when creating a `Response` may inject extra headers or similar exploits. This could allow manipulation of the response to send unintended data if untrusted data is used in the `reason` parameter. Recommendations Update to version 3.13.4 or later.