Garbomuffin

Name of the Vulnerable Software and Affected Versions: Altair GraphQL Client versions prior to 8.0.5 Description: The issue arises from the Altair GraphQL Client's desktop app not validating HTTPS certificates, allowing a man-in-the-middle to intercept all requests. This can compromise GraphQL request and response headers and bodies, including authorization tokens, for users on untrusted networks. The attack can also grant full access to signed-in Altair GraphQL Cloud accounts and enable the replacement of payment checkout pages with malicious websites. Recommendations: For versions prior to 8.0.5, update to version 8.0.5 to fix the issue. As a temporary workaround, consider avoiding the use of the desktop app on untrusted networks until the update is applied. Restrict access to sensitive information and avoid using the desktop app for transactions that require high security until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TurboWarp Desktop versions prior to 1.8.0 **Description** TurboWarp is a desktop application that compiles scratch projects to JavaScript. The issue allows a malicious project or custom extension to read arbitrary files from disk and upload them to a remote server. The only required user interaction is opening the sb3 file or loading the extension. The web version of TurboWarp is not affected. This bug has been addressed in commit `55e07e99b59` after an initial fix which was reverted. **Recommendations** To resolve the issue, users are advised to upgrade to version 1.8.0 or later. Users unable to upgrade should avoid opening sb3 files or loading extensions from untrusted sources.

**Name of the Vulnerable Software and Affected Versions** ScratchTools versions prior to 2.5.2 **Description** The issue affects users of the Recently Viewed Projects feature, making them vulnerable to account takeover if they view a project that attempts to exploit this issue. The problem arises when a project with Javascript in its title is visited, and the Recently Viewed Projects feature displays it, potentially running the Javascript. **Recommendations** For versions prior to 2.5.2, update to version 2.5.2 to resolve the issue. As a temporary workaround, consider avoiding the use of the Recently Viewed Projects feature until the update is applied.