Haby0

**Name of the Vulnerable Software and Affected Versions** Vmware photon (affected versions not specified) **Description** The issue allows remote attackers to inject logs through `r` in the `package` parameter, enabling them to insert malicious data and fake entries. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** gradio versions prior to 2.8.11 **Description** The gradio library has a flagging functionality that saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. **Recommendations** For versions prior to 2.8.11, avoid opening CSV files generated by gradio with Excel or similar spreadsheet programs. Update to version 2.8.11 or later, which escapes the saved CSV with single quotes, to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NVIDIA NeMo versions prior to 1.6.0 **Description** The issue concerns a Relative Path Traversal vulnerability in the ASR WebApp of NVIDIA NeMo. This vulnerability may lead to the deletion of any directory when admin privileges are available, through the use of the "../" structure. The vulnerability affects cases where the ASR Webapp is used with superuser permissions, and it impacts users who clone the repository and execute the web app. **Recommendations** For versions prior to 1.6.0, apply the changes from the commit https://github.com/NVIDIA/NeMo/commit/f7e4ed7e4f7f2fa43765a38c2fafa1b6d1ebd7c0 to patch the vulnerability. As a temporary workaround, consider restricting the use of the ASR Webapp or running it without superuser permissions to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Gradio versions prior to 2.5.0 Description: The issue affects users who create and publicly share Gradio interfaces. File paths are not restricted, allowing users who receive a Gradio link to access any files on the host computer if they know the file names or file paths, limited only by the host operating system. The files are opened in read-only mode. There is no evidence that this issue was ever exploited. Recommendations: For Gradio versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. As a temporary workaround, consider avoiding the sharing of Gradio interfaces until the update is applied. Restrict access to sensitive files on the host computer to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache JSPWiki versions up to 2.11.0.M8 **Description** The issue is related to inadequate access control in Apache JSPWiki, allowing remote attackers to delete arbitrary files on a system hosting a JSPWiki instance by using a carefully crafted HTTP request on logout. This is possible if the files are reachable to the user running the JSPWiki instance. **Recommendations** For Apache JSPWiki versions up to 2.11.0.M8, upgrade to 2.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Aim versions prior to 3.1.0 Description: Aim is an open-source, self-hosted machine learning experiment tracking tool. The issue allows for a path traversal attack, which can be exploited by manipulating variables that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths. This may allow access to arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. Recommendations: For Aim versions prior to 3.1.0, update to version 3.1.0 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation. Avoid using absolute file paths or variables that reference files with "dot-dot-slash (../)" sequences and its variations in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jenkins OWASP Dependency-Check Plugin versions 5.1.1 and earlier **Description** The issue is related to the XML parser not being configured to prevent XML external entity (XXE) attacks. This allows attackers who can control workspace contents to have Jenkins parse a crafted XML file, potentially leading to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For versions 5.1.1 and earlier, update to a version that configures its XML parser to prevent XXE attacks. As a temporary workaround, consider restricting access to the XML parser or disabling it until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mycodo versions prior to 8.12.7 **Description** Mycodo is an environmental monitoring and regulation system. An exploit allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. **Recommendations** For versions prior to 8.12.7, upgrade to version 8.12.7. As a temporary workaround, users may manually apply the changes from the fix commit.