Eric-Y

**Name of the Vulnerable Software and Affected Versions** TransformerOptimus SuperAGI versions prior to 0.0.15 **Description** An issue in the WebScraperTool component within the file superagi/helper/webpage extractor.py allows for server-side request forgery, which is a flaw where an attacker can induce the server to make requests to an unintended location. This can be triggered remotely through the functions `extract with bs4()`, `extract with 3k()`, or `extract with lxml()`. **Recommendations** As a temporary workaround, consider restricting the use of the functions `extract with bs4()`, `extract with 3k()`, and `extract with lxml()` until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TransformerOptimus SuperAGI versions prior to 0.0.15 **Description** A path traversal issue exists in the Multipart Upload Handler component. The `Upload()` function within the file 'superagi/controllers/resources.py' does not properly handle the `Name` argument, allowing a remote attacker to perform path traversal. **Recommendations** Update to a version later than 0.0.14. As a temporary workaround, restrict access to the `Upload()` function in the 'superagi/controllers/resources.py' file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vibrantlabsai RAGAS versions prior to 0.4.4 **Description** A server-side request forgery exists in the Collections Module. A remote attacker can initiate this by manipulating the `retrieved contexts` argument within the ` try process local file()` and ` try process url()` functions located in the src/ragas/metrics/collections/multi modal faithfulness/util.py file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the ` try process local file()` and ` try process url()` functions.

Name of the Vulnerable Software and Affected Versions FoundationAgents MetaGPT versions up to 0.8.1 Description A flaw exists in the `check solution` function within the HumanEvalBenchmark/MBPPBenchmark component of FoundationAgents MetaGPT. Manipulation of this function can lead to code injection, potentially allowing remote attackers to compromise the system. The exploit is publicly available. Recommendations Update to a version beyond 0.8.1.

Name of the Vulnerable Software and Affected Versions Tencent AI-Infra-Guard version 4.0 Description A vulnerability exists in Tencent AI-Infra-Guard version 4.0, specifically within the Task Detail Endpoint component. The issue resides in an unknown function of the `task manager.go` file located in the `common/websocket/` directory. A manipulation of this component can lead to information disclosure. The attack can be initiated remotely. The exploit has been made public. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** frdel/agent0ai agent-zero version 0.9.7 **Description** A server-side request forgery condition exists in the `handle pdf document` function within the `python/helpers/document query.py` file. This manipulation can be carried out remotely. The exploit has been made publicly available. The vendor was contacted regarding this issue but did not respond. The API endpoint is not specified. The vulnerable parameter is not specified. **Recommendations** Versions prior to 0.9.7 are affected. As a temporary workaround, consider disabling the `handle pdf document()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** frdel/agent0ai agent-zero version 0.9.7-10 **Description** A security flaw exists in the `get abs path` function within the `python/helpers/files.py` file of agent-zero. This flaw allows for path traversal, potentially enabling remote attacks. The exploit for this issue has been publicly released. The vendor was notified but did not respond. **Recommendations** Versions prior to 0.9.7-10 are potentially affected. As a temporary workaround, consider restricting access to the `get abs path` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** vanna-ai vanna versions up to 2.0.2 **Description** A flaw exists in the `remove training data` function within the `src/vanna/legacy/google/bigquery vector.py` file. Manipulation of the `ID` argument can lead to SQL injection. This issue can be exploited remotely. The exploit has been published. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** Versions prior to 2.0.3 should be updated. As a temporary workaround, consider restricting access to the `remove training data` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** vanna-ai vanna versions up to 2.0.2 **Description** A flaw exists in the `update sql/run sql` function within the `src/vanna/legacy/flask/ init .py` file of the Endpoint component. This issue allows for server-side request forgery when a manipulation is performed. The attack can be initiated remotely. The exploit is publicly available. The vendor was notified but did not respond. **Recommendations** Versions prior to 2.0.2 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vanna-ai vanna versions up to 2.0.2 **Description** A flaw exists in the `update sql` function within the `src/vanna/legacy/flask/ init .py` file of the Endpoint component. This issue allows for SQL injection, and can be exploited remotely. The exploit has been publicly disclosed. The vendor was informed of this disclosure but did not respond. **Recommendations** Versions prior to 2.0.2 should be updated. As a temporary workaround, consider restricting access to the `update sql()` function until a patch is available.